HTB: Lame Writeup w/o Metasploit
Recon
First things first, let us ping the machine to ensure we have connectivity. If all is well, we can go ahead and began our recon. I typically start my reconnaissance with nmap scans. I created a bash script, which performs a variety of nmap scans including vulnerability scans (using nmap nse scripts), version scans, quick scans, full scans, amongst other things. Our scans return open ports (21, 22, 139, and 445).
Enumeration
Our version scan shows that this box has anonymous ftp authentication enabled. I tried logging in as anonymous and I was successful, but there was not much to do with it at this point. There were no interesting files there, and I was not able to upload anything. Let us assess what other services are available.
Our full nmap scan shows an interesting port (3632) open. Another nmap version scan on that specific port shows that it is using distccd.
Exploitation
After some quick research we learn that distcc is a distributed compiling system and that there are exploits available for the version we see from the nmap output. I used the script in the github repo linked above using python2, not python3, and I was able to get a shell back. Please note I used the script as is, I did not need to make any changes; there will be scripts that require you to alter before using.
Below are two terminals split side by side using tmux. The left side shows the exploit used (I renamed it to distccd.py). The right side shows a listening netcat session. I ran “whoami” on the shell captured from netcat to show that we caught a shell back from distcc daemon. I tried to upgrade my shell using pty, but it failed. I was later able to upgrade it using python -c ‘import pty; pty.spawn(“/bin/bash”)’
Using this shell, we can read the user.txt file under “/home/makis/user.txt.” After a bit of time enumerating the file system there was not anything I could do with our current access level. I first tried to perform kernels level exploits such as “Dirty Cow.” But I was not able to execute the exploits due to low permissions. So, I went back to the drawing board and looked at our nmap outputs. After taking a look at the smb version we have, a quick google search on “samba 3.0.20 exploit” led me to CVE-2007–2447. This is the git repo I used to successfully configure and launch the exploit to get root access.
These are two terminals split side by side using tmux. The left pane shows the smb exploit we used to gain root access. The right pane shows our shell with root access, we upgraded the shell using pty.
Conclusion
This was a straightforward lab that emphasized enumeration in order to complete all objectives. We first tried to exploit FTP since it was a low hanging fruit for quick and easy access, but we were wrong (others were able to successfully exploit it). Afterwards we transitioned to the next service which was distccd. This led us to the user flag, but it did not give us root access to read the root flag. We tried to enumerate using the access we gained from the distccd exploit by checking kernel versions, password files, cronjobs, suid permissions, etc. But we did not find much here. We then took a pivot to the SMB service where we found the CVE-2007–2447 exploit that gave us root access. In conclusion, enumeration is key. See you next time!
