Welcome welcome all to new challenge from HackTheBox “Lame”, but before we get started let’s see the machine’s info
It’s easy, Linux OS and I think it’s the easiest machine on HTB so it’s very good for beginners :) let’s get started…
Nmap scan
In this step we need to know some information about our target like open ports, OS version, service version, etc so we will use nmap to perform this tasks nmap -sV -O -T4 -oG lame.gnmap 10.10.10.3
- sV → service version
- O → OS detection
- T4 → Increase the speed
- oG → get the output in gnmap format (we will know later why we need this format)
You can use
-Ainstead of-sVand-O
The results:
Nmap scan report for 10.10.10.3
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 4h32m23s, deviation: 3h32m10s, median: 2h02m21s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-12-07T17:09:46-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 183.51 ms 10.10.16.1
2 183.70 ms 10.10.10.3
From this results you should know some notes:
Anonymous FTP login allowed (FTP code 230)means that anyone without credentials can login to ftp server and then can upload, delete, etc- the services
vsftpdandsmbservices is vulnerable so we will work on them - We don’t have the
smbversion so we will work on it also
Let’s get started…
Getting smb version
from metasploit we can get smb version by searching smb_version → search smb_version and use the auxiliary module which give us the version and then show options to get the options, and then set RHOST <machine-ip> and finally run.It will give us the result samba 3.0.20
Gaining access
After we know the version of smb so now we will search for exploitation to use it by google. I’ve found this CVE which we will try to use it, or you can use searchsploit to search for exploitation, whatever we will use → exploit/multi/samba/usermap_script and set RHOSTS and LHOST
and then run
As you can see you get access on the machine, type help to see more options and commands. I’ll type shell to open shell and start search for user.txt and root.txt and as you can see the root flag is in home/makis and the root flag is in /root
