Ethical Hacking Lessons — Lame Writeup

This is my write-up for the hackthebox Lame machine. This box teaches us important lessons about why unpatched and misconfigured systems are considered a great security risk.

Let’ start with its info card.

It’s a Linux machine with a difficulty level of Easy. The most important piece of information here is the target machine IP address, 10.10.10.3. The radar graph for Lame is showing a strong inclination towards the presence of CVEs.

Recon

Let’s start active recon with the Nmap scan. To leave no stone unturned, we will perform a scan for both TCP and UDP for all the ports.

I use the following command for TCP scan.

nmap -A -T4 -p- -oX tcp_scan_result.xml 10.10.10.3

Let’s go over the various switches used with this Nmap command.

• -A: Enables OS detection, version detection, script scanning, and traceroute
• -T4: For faster, aggressive scanning
• -p-: Include all ports ( 1 through 65535) during scan
• -oX: Output scan results in XML format

An advantage of generating scan results in XML format is that we can use xsltproc utility to transform the XML results into a more human/report friendly HTML format using the following command.

xsltproc ./tcp_scan_result.xml -o ./tcp_scan_result.html

In order to see the difference, the image below shows the output of Nmap command without any formatting switch used.

The open ports from the same scan results transformed into HTML format look as below.

Let’s perform a scan for UDP as well using the following command.

nmap -sU -p- -oX udp_scan_result.xml 10.10.10.3

The scan results for UDP after transforming to HTML looks as follows.

Recon Results Analysis

UDP scan results do not have much to analyze as none of the ports are open.

TCP scan results reveal four open ports.

• Port 21: Running vsftpd version 2.3.4. Anonymous login is allowed.
• Port 22: Running OpenSSH version 4.7p1
• Port 139/445: Running Samba although its specific version could not be determined. NMap just reporting a range of 3.X — 4.X
• Port 3632: Running the distcc daemon version 1. This tool is used for code compilation using distributed computing.

This analysis shows that there are four services available to go after.

Enumeration

Let’s enumerate the services discovered during the recon stage to determine if there are any potential vulnerabilities for exploitation.

FTP — vsftpd version 2.3.4

First and foremost, we saw that anonymous login was available. We should check if we can log in to this FTP site and if anything interesting could be found.

As you can see in the image above, I can successfully login. However, there is no file in that FTP site. Also, this login doesn’t seem to have the ability to upload a file.

Next, we can check if this particular version of vsftp has any known vulnerabilities. For that, we can use the searchsploit command-line tool that provides the ability to perform off-line searches through local copies of the Exploit Database. Before running any search, one should make sure that the local exploit database is up to date. This can be done by running the searchsploit -u switch.

Next, we search for any potential vulnerabilities and related exploits available for the vsftpd. As shown below, there is a Backdoor Command Execution exploit available for the exact version as shown in the image below.

We can find more details about this exploit using the -p switch for searcshploit to get the full path to the exploit as shown below.

We can browse to URL to find a more detailed description of this exploit. As shown below, this description seems to point towards the possibility of getting a malicious backdoor, exactly the type of entry one would be looking for during this stage of the enumeration.

In a pen-testing scenario, this leads us to a totally legitimate path one wants to take for further exploitation. However, if you are interested in writing an OSCP exam, there are constraints about using the Metasploit framework. As a result, for those scenarios, you may want to consider taking a different route. That’s where we can use NMap Scripting Engine (NSE) that allows Nmap's functionality to be extended according to user needs. These scripts could be found at /usr/share/nmap/script folder on a Kali-Linux VM. The search for vsftpd in confirms the presence of ftp-vsftpd-backdoor script, that we can try next as shown below.

The output of NMap NSE does not provide any surety about the presence of this vulnerability. This can potentially be just a rabbit hole that creators of this VM left for us.

SSH — OpenSSH version 4.7p1

Using searchsploit for OpenSSH has many results but nothing specific to the version in question.

Googling for any vulnerabilities/exploits for this version of SSH did not reveal anything really interesting, so we just move on.

Samba— Version 3.X — 4.X

As we saw earlier, the Nmap scan did not provide a specific version for Samba. This is important information to have before looking for vulnerabilities. Let’s try some other ways to see if we can find the version number. Smbclient is a good starting point to access SMB resources. We can use -L switch to list the available services.

The smbclient query not only provided version 3.0.20 for the smb but it also gave a list of shares available. We can try to connect to these shares to see if there is anything useful.

As shown in the image above, there does not seem to be anything useful available there. Let’s try to see if there are any known vulnerabilities/exploits for this version of Samba.

As searchsploit results reveal, there is an exploit available for this version of samba. Let’s visit the URL for the exploit.

As you can see, CVE-2007–2447 is associated with this vulnerability. It describes the vulnerability as follows.

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.

Google search also reveals there are few ways to exploit this vulnerability. That’s good enough work for the Enumeration phase, we can dive further deep once we start the Exploitation phase.

Distcc Daemon — Version 1

Let enumerate the distcc service with the searchsploit as shown below.

Furthermore, search for Nmap scripts for distcc has a related distcc-CVE2004–2687 script available.

The Nmap script confirms that distccd service is vulnerable for the CVE-2004–2687.

Enumeration Results Analysis

There are two vulnerable services (samba, distccd) that we can exploit to get user/root-level access.

Exploitation

Let’s try to exploit using various methods.

Exploiting Samba using Netcat

Let’s start the netcat on target machine with nvlp parametres.

The description of nc parameters is as follows.

• n: Not perform any DNS or service lookups
• v: Provide verbose output
• l: Specifies that nc should listen for an incoming connection
• p: Specifies the source port that should be used

A code review of Metasploit exploit suggests that using the smb username created with a payload as follows can give us a reverse shell.

username = "/=`nohup " + payload.encoded + "`"

For our case, the payload could just be using the netcat attempting to connect to listener at 10.10.14.2 on port 4444 as shown below.

That immediately gave us a reverse shell with root-level access and the required flag.

From here on, it does not require any privilege escalation to get the user flag. It was just a matter to find the user flag file and that was it.

Exploiting Samba using Metasploit

Let’s launch msfconsole and load the appropriate module.

Set the RHOSTS to lame machine ip address of 10.10.10.3.

Executing the exploit gives us the shell and the user/root flags.

Root Cause Analysis

1. Keeping the system up to date with patches is critical.
2. Mis-configuring of services, especially exposing to the outside world, without proper checks and balances is dangerous.