TJ_Null’s OSCP prep – HTB – Lame
This is the first box for my OSCP preparation. This is a pretty straight forward box, where there are multiple vulnerabilites that can be used, as well as some privilege escalation vectors. I’ll look at two different vulnerabilites in this writeup. Even though metasploit is only allowed once on the OSCP exam, I will strictly use metasploit in this writeup as a warmup. For further boxes I will refrain from using metasploit.
Table Of Contents
Enumeration
As always I’ll start with the enumeration using NMAP.
┌─[root@parrotos]─[/home/aghanim/Desktop/HTB/lame]
└──╼ #nmap -sV -sC -p- --min-rate 10000 10.10.10.3 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-03 19:13 GMT
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.00% done; ETC: 19:15 (0:00:51 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.082s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.11
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h32m23s, deviation: 3h32m11s, median: 2m20s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-01-03T14:18:06-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.59 secondsThere are some ports that run vulnerable services on them, such as VSFTPD 2.3.4, smbd 3.0.20 and distccd v1. I’ll first look at smbd and then distccd.
Initial Acces – Alternative 1
CVE-2007-2447
Starting metasploit I’ll use multi/samba/usermap_script with these options.
Running the exploit you can see that I instantly get root shell, so no need for privilege escalation. This is however very rare.
Initial Access – Alternative 2
CVE-2004-2687
Here I’ll also use metasploit multi/misc/distcc_exec with these options.
And running this exploit I’ll get a shell.
Root
To get root access, I’ll search for files with SUID bits.
daemon@lame:/tmp$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
16466 68 -rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount
16449 20 -rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount
16398 28 -rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su
16418 84 -rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount
16427 32 -rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
16457 28 -rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6
8370 68 -rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs
304747 4 -rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script
344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit
344440 8 -rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X
344958 12 -rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh
344139 40 -rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd
344317 16 -rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils
344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo
344959 12 -rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin
344230 12 -rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping
344231 40 -rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at
344365 20 -rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp
344429 28 -rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn
344956 768 -rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap
344441 24 -rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh
344957 16 -rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp
344771 32 -rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd
344792 48 -rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr
354632 16 -rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd
354626 268 -rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd
369987 8 -rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin
385106 12 -rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec
386116 8 -rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device
377149 168 -rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign
371390 12 -rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown
8415 16 -r-sr-xr-x 1 root root 14320 Nov 3 2020 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
16687 12 -r-sr-xr-x 1 root root 9532 Nov 3 2020 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapperLooking through the list, there is one interesting file in particular; nmap. Looking at GTFObins I can run the command nmap --interactive and retain root privilege.
