Since this is the first machine for this journey, let’s that by downloading the OpenVPN configuration from HTB and creating a quick alias to connect (I will be using Kali Linux by the way, not the integrated Pwnbox):
$ echo "alias htb='sudo openvpn /home/kali/VPNs/htb.ovpn'" >> ~/.zshrc (or ~/.bashrc)
Logout / Login and then:
Let’s start with a plain nmap:
$ nmap 10.10.10.3 Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 04:22 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ ping 10.10.10.3 PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data. 64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=22.0 ms 64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=22.6 ms ...
Which is immediately lying that the machine doesn’t respond to ping. You need to add the
-Pn flag to scan a machine that doesn’t “respond to ping”:
$ nmap 10.10.10.3 -Pn ... PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds
It seems the machine has SMB shares, let’s enumerate them:
$ smbclient -L 10.10.10.3 Password for [WORKGROUP\kali]: (empty) Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME
“oh noes!”? lol. Lame, I guess? Let’s see what we find in
$ smbclient \\10.10.10.3\tmp 130 ⨯ Password for [WORKGROUP\kali]: Anonymous login successful Try "help" to get a list of possible commands. smb: > ls . D 0 Sun Jan 8 04:31:20 2023 .. DR 0 Sat Oct 31 03:33:58 2020 .ICE-unix DH 0 Sun Jan 8 04:20:46 2023 vmware-root DR 0 Sun Jan 8 04:21:13 2023 .X11-unix DH 0 Sun Jan 8 04:21:12 2023 .X0-lock HR 11 Sun Jan 8 04:21:12 2023 vgauthsvclog.txt.0 R 1600 Sun Jan 8 04:20:44 2023 5574.jsvc_up R 0 Sun Jan 8 04:21:50 2023 7282168 blocks of size 1024. 5386552 blocks available
Of these files, only
.X0-lock are downloadable, and they contain no valuable information. None of the other shares seems to be useful either. Maybe we need to find some credentials first.
The other open services did not accept connections without credentials either. However, I noticed generally outdated software running. Let’s do a deeper scan and see if there is a vulnerability we can find:
$ sudo nmap -Pn -script vuln,default -p21,22,139,445 -sV -O 10.10.10.3
It turns out Samba 3.0.20-Debian is vulnerable to CVE-2007-2447. Use the Metasploit framework and apply the
whoami root cat /root/root.txt c3a*************************************** cat /home/makis/user.txt e14***************************************
There are a few more interesting paths on this machine. My guess is there is more than one way to the flags, but I will leave this up to you to explore!
So what did we learn from this machine? Sometimes a host is so open you don’t know where to start =).
PS: Γεια σου Μάκη!