HTB: Lame

Enumeration

A run through of the “Lame” machine on HackTheBox.

Kicking things off with an nmap scan, we can see the following ports are open:

We’ve got FTP on TCP 21, SSH on TCP 22, and Samba/SMB on 445.
I tend to favor using the -sS on the initial scan for a quick pass through to find open ports, before doing a second pass targeting those services (using the -sVC switch).

Circling back to dig a little further this time:

Looks like we’ve got some version numbers to play with. FTP allows anonymous login, which is always worth a poke. SSH is usually a dead end most of the time so we’ll leave that alone for the time being. Samba is almost always a good source of information, if not the intended the attack path.

Nothing to see here it turns out. A quick search on ExploitDB for “vsftpd 2.3.4” does yield an interesting result:

vsftpd 2.3.4 – Backdoor Command Execution
https://www.exploit-db.com/exploits/49757

We’ll keep that open and continue enumerating further.

Using smbmap -H 10.10.10.3 we can attempt to list the shares available to us:

The “tmp” share stands out here as it’s not something you’d typically see being available, and there’s a comment of “Oh noes!” next to it. Let’s check it out:

With the following command smbclient \\10.10.10.3\tmp --no-pass we manage to drop in as “Anonymous” and can poke about in the /tmp directory. Nothing of any real interest/value here:

We do still have that version number to look up, so heading back to the trusty ExploitDB, we find the following:

Samba 3.0.20 < 3.0.25rc3 – ‘Username’ map script’ Command Execution (Metasploit)
https://www.exploit-db.com/exploits/16320

Now, from here we can one of two ways; the potential FTP Backdoor or the Command Execution via Samba. I’m taking the red pill and going down the Samba route…

Exploitation

Having a read through the exploit, it looks like we’ll be using Metasploit for this, so time to fire it up with msfconsole -q (omit the -q if you like looking at the banners I guess?)

Bingo! We’ve found the exploit we came across on EDB earlier, so we’ll continue with this with the use 0 command

Set up the required options using the set command as follows:
set RHOSTS
set LHOST
set LPORT

When it’s all set up, run the exploit with the exploit command:

We immediately get a session which is great news! At first it will look as if nothing is happening, however with the shell command, we can drop into a bash shell.

And to make things even better, we notice we’ve landed in the root user account!

Post-Exploitation & Loot

Checking the contents of the /home directory, we can see there is another user called “makis”. Let’s check their home directory for a possible user.txt flag file:

And as expected, we’ve found the user flag.

The root flag should be easy enough given there’s no priv esc to be done: