HTB Machine Writeups
  • Base
  • Keeper
  • Lame
  • Markup - Coming Soon
  • Codify - Coming Soon
  • Hospital - Coming Soon
  • DevVortex - Coming Soon
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • Foothold
  • Privilege Escalation
  • After Action Report

Lame

Linux, Easy, (08/28/2023)

Last updated 1 month ago

Introduction

This easy Hack the box machine involves beginner friendly exploitation tactics, and offers a newcomer the ability to think on their feet and solve problems with ease. Most boxes in this difficulty category include a common vulnerable service, a well known and exploitable CVE, or entry level skill builders that help hackers adopt the mindset for thorough enumeration. Leave no stone unturned, and enjoy!

Enumeration

Beginning this engagement, I started enumerating with nmap for both TCP and UDP ports. After attempting an initial scan for all open ports (before a more invasive scan to discover services), it appeared the ICMP pings were being blocked by the machine. I had to add the -Pn flag in order to bypass this warning and obtain actionable information in the output. I retrieved the following:

From the output, I could see that ports 21, 22, 139, 445, and 3262 were open. This means I definitely had a couple services to enumerate and discover potential attack vectors. I began by enumerating port 21 FTP to see if something like anonymous login was available.

I was able to log in! There only problem is passive mode was enabled, so I did not obtain a directory listing I was hoping for. Nevertheless, looking at this successful login from a penetration testing perspective, this would still be notated as a vulnerability in a final deliverable. FTP anonymous access needs to be disabled within its configuration file.

I moved onto enumerating port 445 SMB using the tool SMBMap. The following command was able to show me this list of file shares and my permissions as an unauthenticated user.

It appeared the /tmp share was available with read permissions, so this became my next point of entry. I connected to the share using smbclient and began enumerating for useful files that could help in gaining a foothold.

When presented with the directory listing, I immediately noticed a file whose name indicated it was from an Authorization Service Log. I used the get command from smbclient to exfiltrate this file to my local machine for further examination. Maybe it included some form of credentials?

Alas, this file included no useful information to press forward. I combed the rest of the files and directories located in the /tmp SMB share but nothing turned up. I consulted the nmap scan in the hopes I had missed something critical.

About as fast as I could type the cat command out, I located a version number for the service running on port 445! It is always important to check sources like ExploitDB or Snyk for any well-known exploits involved with a service version number.

Foothold

As it turns out, Samba smbd 3.0.20 is vulnerable to CVE-2007-2447, which involves the following:

There's a chance this configuration was enabled in the target environment, so further research led to the discovery of a Metasploit Module that could be utilized for attack.

NOTE: There are NUMEROUS arguments both for and against the usage of Metasploit, and I err on the side of "do what you can with the tools you have available, but never overlook the possibility of fallout from your actions." Using Metasploit does not make you a script kiddie, using Metasploit exclusively does. Manual exploitation ensures the ethical hacker understands the underlying functionality of the system, the vulnerability, AND the exploit. Certain attacks can be very compromising to an OS or application, and in a real engagement the fallout needs to be taken into consideration. Countless professionals will preach the same thing; there's not a penetration tester out there who wants to be the guy (or gal) that launched an attack that took an entire application server down as a result. TL;DR --> Be careful and considerate of the machine you are exploiting.

Loading the module, there were a couple options I had to set first (as is the same with all Metasploit modules). The options I configured are as follows:

The target IP was set in addition to the listener that will be established on my Kali machine, but I also changed the listening port to 8080. It is good practice (especially with a Metasploit module) to change the default listening port from 4444 to another port that is more common, and can blend in. Port 8080 is commonly used with proxies, sometimes surrounding web server functionality, so any monitoring tools have less of a chance triggering an alert due to outbound communications over this port number. I know from my experience as a SOC analyst that there are most definitely EDR rules that monitor for port 4444 usage.

With the configuration options set in place, it was time to launch the exploit.

Privilege Escalation

You might be asking, wait, root was that easy?! Why yes, the way this module runs its payload, root is automatically obtained. There is not much work involved here, as the exploit ran due to the enabled username map script in the smb.conf file. Both the user and root flags should be available for the taking.

Now, if this were the initial point of access on an engagement with far more subnets or domains in its scope, the goal would be to enumerate the system entirely, looking for credentials, private keys, or even viewing the network information that indicated if the machine was dual homed and had access to the organization intranet. Not to mention adding a level of persistence and an under the radar shadow user would be effective to utilize the open SSH port moving forward, as this machine would blend in even further as expected behavior or network traffic.

After Action Report

  1. FTP Anonymous Login - As stated above, it is extremely important to ensure that FTP Anonymous login is disabled. This applies to file shares located anywhere in the network; just because they are located within the intranet does not mean they are safeguarded from abuse. This can be changed in the /etc/vsftpd.conf in this machine's case.

  2. CVE-2007-2447 - Having a critical CVE within your environment can be completely avoided with proper patch maintenance and periodic vulnerability scanning. A vulnerability scanner would scan the environment at a specified cadence, and provide updates based on criticality for items that need immediate attention. Any organization, especially those that have numerous devices related to file sharing, should implement a solution like this to increase visibility of major issues within their systems. In addition, patching needs to be scheduled, tracked, and consistent to ensure a vulnerable version of a service or application does not go unnoticed.

https://nvd.nist.gov/vuln/detail/CVE-2007-2447