Discovered open port 21/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 3632/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
I then ran a version and default scripts scan on the open ports:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -3d00h56m48s, deviation: 2h49m45s, median: -3d02h56m50s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-06-25T21:19:31-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
FTP
Checking the FTP service, it seems there are no files.
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:sif0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
To connect as the anonymous user in FTP, use the username: anonymous. For the password, basically anything will do(just not blank). Although from what I remember, the password should be an email address.
Checking also for the version of the FTP service(vsFTPD 2.3.4) for existing vulnerabilities using searchsploit:
From the POC, the shell code was generated using msfvenom. Changing the values of LHOST to my IP and changing the shellcode, I execute the exploit and I get a shell as root:
I then upgrade my shell by getting a proper TTY using Python:
Since I am running as root, I try to look for root.txt and user.txt:
root@lame:/# ls -al /root/root.txt
ls -al /root/root.txt
-rw------- 1 root root 33 Mar 14 2017 /root/root.txt
root@lame:/# ls -alR /home | grep user.txt
ls -alR /home | grep user.txt
-rw-r--r-- 1 makis makis 33 Mar 14 2017 user.txt
I tried the vsFTPd exploit after solving the box. It did not work even if the version is vulnerable. The box must have been configured(like blocking external connections to port 6200, which is the backdoor port) for it to not work.
Takeaways
Do not directly exploit something that you might think be vulnerable. It is better if you enumerate everything before trying out an exploit.
Read the exploit code you found and make the necessary changes.
There is one exploit, but is a Metasploit module. I found one POC exploit from the internet: . But before I try the exploit, its good to enumerate other services first.
Checking against Google the versions of the Samba protocol, it seems it has lots of vulnerabilities since the version is outdated. After looking for exploits, I found a recent POC:
