Lame

This box from HTB is well... lame. After noticing an odd port being open, 3632, a quick nmap script gives me remote code execution allowing me to gain a user priv reverse shell. After which abusing the nmap application which has the SUID bit set gives a quick root shell.

Initial nmap scans.

Ports 21, 22, 139, 445 and 3632 are all open. I typicall don’t go after ssh until I have some sort of credentials so I’ll start my enumeration with ftp.

First thing to do is connect to the ftp server.

Nothing there so how about smb?

Again nothing of interest. Since the more common ports didn’t reveal anything interesting I’ll move on to an uncommon port to see on a HTB machine.
Port 3632.
Googling this shows that distccd is a “tool for speeding up compilation of source code by using distributed computing over a computer network”. Makes sense now for why a compilation program would be reachable on the network.
But what I’ more interested in is how to exploit this service. Typing distccd into google, ‘distccd exploit’ pops up as one of the most common searches. Going down results there’s even an nmap vuln script for this service.

Running the script with ‘id’ as the command parameter returns the id of the user and proves we have remote command execution on the machine.
From here we only need to pass in a bash reverse shell one liner, here, and I have my user priv reverse shell.

First thing I like to do when I get a reverse shell is upgrade it to a fully interactive shell with the commands,

python -c 'import pty; pty.spawn("/bin/bash")'
^Z // To background the session
stty raw -echo
fg enter

It makes life alot easier to have an interactive shell.

Now using the command,

find / -perm +4000

I see that there are several files with the SUID bit set. Cross referencing these with those on GTFObins I notice that I can use nmap in order to elevate privelege to root.

And there I have root.