Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Lame Linux

Published on 02 Oct 2018

Easy machine full of exploits...but only one gives you a root shell in one call!

Recon

Nmap scan

Nmap scan report for 10.10.10.3
Host is up (0.092s latency).
PORT     STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       http://distcc.googlecode.com/svn/trunk/doc/web/security.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|       http://http://www.osvdb.org/13378
|_      http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Samba scan

[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445	Name: 10.10.10.3                                        
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	tmp                                               	READ, WRITE
	opt                                               	NO ACCESS
	IPC$                                              	NO ACCESS
	ADMIN$                                            	NO ACCESS

Exploitation

The target machine is vulnerable to CVE-2007-2447 So we use metasploit module exploit/multi/samba/usermap_script

And we get root shell!

FLAGS

USER "69454a937d94f5f0225ea00acd2e84c5"
ROOT "92caac3be140ef409e45721348a4e9df"

HTB Lame Linux

Recon

Exploitation

FLAGS

Related posts

Threat Intelligence Resources

Theat Hunting Tools

Threat Hunting Report