Hack The Box — Lame

Welcome welcome all to new challenge from HackTheBox “Lame”, but before we get started let’s see the machine’s info

It’s easy, Linux OS and I think it’s the easiest machine on HTB so it’s very good for beginners :) let’s get started…

Nmap scan

In this step we need to know some information about our target like open ports, OS version, service version, etc so we will use nmap to perform this tasks nmap -sV -O -T4 -oG lame.gnmap 10.10.10.3

  • sV → service version
  • O → OS detection
  • T4 → Increase the speed
  • oG → get the output in gnmap format (we will know later why we need this format)

You can use -A instead of -sV and -O

The results:

Nmap scan report for 10.10.10.3
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4h32m23s, deviation: 3h32m10s, median: 2h02m21s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2020-12-07T17:09:46-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 183.51 ms 10.10.16.1
2 183.70 ms 10.10.10.3

From this results you should know some notes:

  1. Anonymous FTP login allowed (FTP code 230) means that anyone without credentials can login to ftp server and then can upload, delete, etc
  2. the services vsftpd and smb services is vulnerable so we will work on them
  3. We don’t have the smb version so we will work on it also

Let’s get started…

Getting smb version

from metasploit we can get smb version by searching smb_versionsearch smb_version and use the auxiliary module which give us the version and then show options to get the options, and then set RHOST <machine-ip> and finally run.It will give us the result samba 3.0.20

Gaining access

After we know the version of smb so now we will search for exploitation to use it by google. I’ve found this CVE which we will try to use it, or you can use searchsploit to search for exploitation, whatever we will use → exploit/multi/samba/usermap_script and set RHOSTS and LHOST

and then run

As you can see you get access on the machine, type help to see more options and commands. I’ll type shell to open shell and start search for user.txt and root.txt and as you can see the root flag is in home/makis and the root flag is in /root

Congratulations ❤ Now you have the flags

Stay in touch :)

LinkedIn | GitHub | Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll