Enumeration
A run through of the “Lame” machine on HackTheBox.
Kicking things off with an nmap scan, we can see the following ports are open:
We’ve got FTP on TCP 21, SSH on TCP 22, and Samba/SMB on 445.
I tend to favor using the -sS on the initial scan for a quick pass through to find open ports, before doing a second pass targeting those services (using the -sVC switch).
Circling back to dig a little further this time:
Looks like we’ve got some version numbers to play with. FTP allows anonymous login, which is always worth a poke. SSH is usually a dead end most of the time so we’ll leave that alone for the time being. Samba is almost always a good source of information, if not the intended the attack path.
Nothing to see here it turns out. A quick search on ExploitDB for “vsftpd 2.3.4” does yield an interesting result:
vsftpd 2.3.4 – Backdoor Command Execution
https://www.exploit-db.com/exploits/49757
We’ll keep that open and continue enumerating further.
Using smbmap -H 10.10.10.3 we can attempt to list the shares available to us:
The “tmp” share stands out here as it’s not something you’d typically see being available, and there’s a comment of “Oh noes!” next to it. Let’s check it out:
With the following command smbclient \\10.10.10.3\tmp --no-pass we manage to drop in as “Anonymous” and can poke about in the /tmp directory. Nothing of any real interest/value here:
We do still have that version number to look up, so heading back to the trusty ExploitDB, we find the following:
Samba 3.0.20 < 3.0.25rc3 – ‘Username’ map script’ Command Execution (Metasploit)
https://www.exploit-db.com/exploits/16320
Now, from here we can one of two ways; the potential FTP Backdoor or the Command Execution via Samba. I’m taking the red pill and going down the Samba route…
Exploitation
Having a read through the exploit, it looks like we’ll be using Metasploit for this, so time to fire it up with msfconsole -q (omit the -q if you like looking at the banners I guess?)
Bingo! We’ve found the exploit we came across on EDB earlier, so we’ll continue with this with the use 0 command
Set up the required options using the set command as follows:
– set RHOSTS
– set LHOST
– set LPORT
When it’s all set up, run the exploit with the exploit command:
We immediately get a session which is great news! At first it will look as if nothing is happening, however with the shell command, we can drop into a bash shell.
And to make things even better, we notice we’ve landed in the root user account!
Post-Exploitation & Loot
Checking the contents of the /home directory, we can see there is another user called “makis”. Let’s check their home directory for a possible user.txt flag file:
And as expected, we’ve found the user flag.
The root flag should be easy enough given there’s no priv esc to be done:
