Lame

Source: https://app.hackthebox.com/machines/Lame

. . .

Introduction

This box is more likely based on a CVE that we will be exploiting.

. . .

Scanning & Enumeration

Autorecon is a multi-threaded tool created by Tiberius, more info here.
After we run the autorecon tool, we have a nice structure for everything we need during the Pentest.

Inside scans, we can find the output for different types of scans that we can view. I am still exploring the true potential of these scans, hence the thought of adding that here. There are so many files, so I would recommend starting from the nmap scan and then viewing the files we are interested in. Let’s look at the ‘full-tcp-nmap.txt’.

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
# Nmap 7.80 scan initiated Sat Aug 29 21:31:15 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /media/Warehouse/Work/0xAadi/HTB/lame/results/10.10.10.3/scans/_full_tcp_nmap.txt -oX /media/Warehouse/Work/0xAadi/HTB/lame/results/10.10.10.3/scans/xml/_full_tcp_nmap.xml 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up, received user-set (0.20s latency).
Scanned at 2020-08-29 21:31:16 +0530 for 319s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT     STATE SERVICE     REASON         VERSION
21/tcp   open  ftp         syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg==
|   2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
139/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=8/29%OT=21%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5F4A7D0B%P=x86_64-pc-linux-gnu)
SEQ(SP=C8%GCD=1%ISR=CF%TI=Z%II=I%TS=7)
OPS(O1=M54DST11NW5%O2=M54DST11NW5%O3=M54DNNT11NW5%O4=M54DST11NW5%O5=M54DST11NW5%O6=M54DST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%TG=40%W=16D0%O=M54DNNSNW5%CC=N%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.117 days (since Sat Aug 29 18:48:27 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h08m05s, deviation: 2h49m45s, median: 8m03s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59488/tcp): CLEAN (Timeout)
|   Check 2 (port 18832/tcp): CLEAN (Timeout)
|   Check 3 (port 9700/udp): CLEAN (Timeout)
|   Check 4 (port 40169/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-08-29T12:14:02-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   199.66 ms 10.10.14.1
2   199.76 ms 10.10.10.3
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 29 21:36:35 2020 -- 1 IP address (1 host up) scanned in 320.34 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Service Version Enumeration Table
Service Version Enumeration Table

Target IP: 10.10.10.3

Nmap Command 

nmap -sV -sC -A -p21,22,139,445,3632 -oA nmap/initial -Pn 10.10.10.3
PortProtocolServiceVersion
21
tcpftp
vsftpd
22
tcpssh
OpenSSH
Extra Info: protocol 2.0
139
tcpnetbios-ssn
Samba smbd
Extra Info: workgroup: WORKGROUP
445
tcpnetbios-ssn
Samba smbd
Extra Info: workgroup: WORKGROUP
3632
tcpdistccd
distccd
Extra Info: (GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)

Service Version Enumeration

PortScriptResult
21
ftp-syst
STAT: FTP server status: Connected to 10.10.16.3 Logged in as ftp TYPE: ASCII No session bandwidth limit Session timeout in seconds is 300 Control connection is plain text Data connections will be plain text vsFTPd 2.3.4 - secure, fast, stable End of status
21
ftp-anon
Anonymous FTP login allowed (FTP code 230)
22
ssh-hostkey
1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

Port Script Results

ScriptResult
clock-skew
mean: 2h46m14s, deviation: 3h32m10s, median: 16m12s
smb-security-mode
account_used: <blank> authentication_level: user challenge_response: supported message_signing: disabled (dangerous, but default)
smb2-time
Protocol negotiation failed (SMB2)
smb-os-discovery
OS: Unix (Samba 3.0.20-Debian) Computer name: lame NetBIOS computer name: Domain name: hackthebox.gr FQDN: lame.hackthebox.gr System time: 2022-03-04T22:36:34-05:00

Host Script Results

FTP Enum

cat tcp_21_ftp_nmap.txt
# Nmap 7.80 scan initiated Sat Aug 29 21:32:20 2020 as: nmap -vv --reason -Pn -sV -p 21 "--script=banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN HTB/lame/results/10.10.10.3/scans/tcp_21_ftp_nmap.txt -oX HTB/lame/results/10.10.10.3/scans/xml/tcp_21_ftp_nmap.xml 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up, received user-set (0.20s latency).
Scanned at 2020-08-29 21:32:21 +0530 for 23s
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 2.3.4
|_banner: 220 (vsFTPd 2.3.4)
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_sslv2-drown: 
Service Info: OS: Unix

We see that we have anonymous FTP allowed on the target.

Interacting with FTP
Interacting with FTP

Interacting with the FTP yielded nothing as there were no drives that were shared.

We can also lookup on google or exploit database if the version itself is vulnerable to any attacks, *SPOILER ALERT* it is vulnerable.

SMB Enum

Samba Enumeration
Samba Enumeration

We see a share called ‘tmp’, where we have read and write access.

smbclient //10.10.10.3/tmp -u '' -p ''
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

I tried connecting to that server, but for some reason that did not work out.

Then I looked it up, and found the solution on HTB forum here.

Error Resolution from HTB
Error Resolution from HTB

We add this to the config file, located at ‘/etc/samba/smb.conf’. If you do not know the path to your ‘smb.conf’, you can easily find that out using ‘locate smb.conf’.

I was still not able to connect, so I tried to boot up the pwnbox offered by HTB.

pwnbox interface
pwnbox interface

I got the same error over there as well,

Error connecting to SMB
Error connecting to SMB

Distccd Enum

This is some new service that I have never encountered before.
Looking up online we see that v1 is also vulnerable.

. . .

Vulnerability Analysis

Let’s first look at this Distccd

Searchsploit results
Searchsploit results

We only find a Metasploit module for this.
So if we want we can go ahead with this exploit if we are fine with using Metasploit, but it only gives us a daemon shell, and we need to use the dirty cow to privesc.

That leaves us with the vulnerable version of FTP.

https://github.com/ahervias77/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

Found this exploit on Github, ran it, but we do not get a session. Let’s then check if this host is even vulnerable to the attack or not.

nmap --script ftp-vsftpd-backdoor -p 21 10.10.10.3

Apparently this target is not vulnerable to this attack.

Last but not the least, we see that even Samba is vulnerable but even that points us towards Metasploit.

Google Search for Samba Version
Google Search for Samba Version

Let’s see if we can find some other info.

. . .

Exploitation

Samba

I got this public exploit. Let’s see if we can get it to run.

Exploit Source Code
Exploit Source Code

Looking at the code, we see that we have to change the value stored in ‘buf’ by generating a payload according to out LHOST and LPORT.

Let’s generate the payload first.

Generating the Payload
Generating the Payload

Note: We would need to remove all the ‘b’ because we want our ‘buf’ to be string, second if while running this, you get an error that ‘smb’ module was not found, install it using pip3 install pysmb

Since we selected our payload to be a reverse_netcat, we need to set up a listener, using nc -nlvp 1337

We run the script, and BOOM, we have root!

Shell with Root Privileges
Shell with Root Privileges

There will be no priv-esc steps in this approach, however, let’s try this Distcc method.

Distcc

Searching for exploits
Searching for exploits

We see a couple of them out there.

Upon opening the source code, we see that this exploit was written specifically for lame.

Exploit Source Code
Exploit Source Code

I used this to get the initial foothold on the machine.

Shell with User Privileges
Shell with User Privileges
. . .

Privesc

Now that we have a local user, let's try and run linPEAS on the target machine and get some info!
I was unable to do that for this box, somehow I was not able to execute the linpeas.sh. I raw uname -a, and as we had previously seen this has a kernel exploit available.

Usually, we won’t get kernel exploits often, but here we do.

Exploits related to the server version
Exploits related to the server version

We see the famous Dirty Cow kernel exploit.

Searchsploit results for Dirty Cow
Searchsploit results for Dirty Cow

Let’s fetch this bad boy! 40839.c and transfer it on the remote machine.

Running the exploit
Running the exploit

After that let’s compile this on the remote box, and set up a password for the new user, ‘firefart’.

Now we can simply login on the remote machine using ssh [email protected] and the password as 1234 .

Shell with Root Privileges
Shell with Root Privileges
. . .

Summary | TL;DR

  1. Scan ports using nmap
  2. Find that VSFTPD, DISTCCD and Samba all are vulnerable
  3. VSFTPD is most likely a rabbit hole everyone keep talking about.
  4. Samba exploitation gives direct root.
  5. Distccd gives local foothold as daemon user, use dirty cow to privesc.
. . .

Parting Thoughts

In this machine, we learned the following:

  1. Well, this was my first rabbit hole, and I did try very hard to get that exploit on vsftpd work!

Thank you for reading, please provide your feedback and share with people who are in need. :)

. . .