Hacking Lame (hackthebox)

I hacked this box a while ago following along a simple walkthrough. That method used the most simple way, and it taught me more about using msfconsole and the potential problems created when SMB is exposed to the public internet. I thought I would come back to this box now I have learnt some more so I could try to hack it in a different way.


First of all, I'll run over how I pwned it originally.


A quick nmap SYN scan shows us that ports 139 and 445 are open. Port 139 uses NetBIOS to enable sharing of files and other useful resources. This has led to lots of security vulnerabilities, so Microsoft moved towards using SMB over TCP on port 445.




Port 139 therefore looks like the easiest way to pwn this box. Using a more thorough nmap scan on just the open ports I found, I soon found that the SAMBA version is 3 something (3,X - 4.X) and therefore probably vulnerable to an exploit of some kind.




Looking further, it seems that this SAMBA is version 3.0.20 We can also note that message_signing is disabled. This is another security vulnerability, but it won't be needed in order to hack this box.





I fired up msfconsole and searched for a useful exploit. This can be done using a good search engine, too.




Number 8 looked promising, so I used it (use 8) and then checked out its info (show info).




Result! Versions 3.0.20 through 3.0.25rc3! I set the options and then executed this exploit. If you are using a firewall, you will need to open port 4444 as this uses a reverse shell and you will need to be able to accept connections on the port specified in LPORT - the default is 4444




As can be seen, this exploit lands us a root shell immediately so no privilege escalation is necessary. This is pretty cool, but I wanted to practice some priv esc techniques, so I had a think about that other service (distccd v1) running over port 3632...


I first of all did a search for an exploit against distccd v1 and soon found something interesting from Rapid7.




I closed the earlier msf session and found the distccd exploit.




I next set the usual options, but I also needed to set a payload and configure it. I chose a perl reverse shell.






This worked and I landed a regular shell which I upgraded using python -c 'import pty;pty.spawn("/bin/bash")'


I checked my id and found that I was not root - excellent! Now I could try to escalate my privileges...




I tried sudo -l but was thwarted by a lack of a password for the user daemon. I then checked the version of sudo and was happy to see that it was < 1.8.26 I checked for password feedback and it appeared to be enabled, so I tried to escalate my privileges using a buffer overflow based on this information. Unfortunately, I couldn't get it to work, so I decided to try a different approach.


I had a look to see if any capabilities had been enabled using getcap -r / 2>/dev/null but this returned nothing.


I next turned my attention to looking for binaries with the SUID bit set. If this is set, it allows any user to execute the binary with the owner's permissions. If the owner is root, then this can work in our favour! If the SUID bit is set on a binary, there will be an s in the owner's execute column when looking with ls -la In order to quickly find such binaries, we can use find / -perm -4000 -type f 2>/dev/null This looks from the top directory / for files -type f which have the SUID bit set -perm 4000. The 2>/dev/null just sends the standard error output to a void (/dev/null) so we don't have to see all the errors. Using this command, I found lots of SUID binaries. One immediately stood out - nmap!




This was good news, as I could now run nmap in its interactive mode nmap --interactive and then open a root shell using !sh




This was great as I had found and used a route to root which I didn't know about when I first hacked this box.


Whilst I was messing about with lame, I thought I would have a go at using an automated tool, too, so I downloaded linpeas and then started a simple http server from the directory in which I had downloaded it.




I could now use wget on the victim machine to download and then run linpeas to see what it could find.




linpeas also found the nmap SUID. Anything highlighted in yellow and red in linpeas is well worth checking out!




It was nice to see that the automated tool linpeas worked so well, but I felt good about having found the same vulnerability and then exploiting it manually.


To finish, I decided to have a look at the FTP shares on port 21. I left these until the end as I couldn't see much point in being able to access them as with no web server running it seemed unlikely that I could execute any malicious file which I might upload to the lame machine. As it was, I couldn't find anything using FTP.




Overall, I enjoyed coming back to this machine as it allowed me to try new techniques which I have learnt since I first pwned it following a walkthrough. Thanks to ch4p for creating the box, and thank you for reading my write up - I hope it was useful.



Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more