m8r0wn
Blog  |  About  |  Contact   
menu
Blog About Contact

HackTheBox - Lame

January 18, 2021
After getting a HackTheBox VIP subscription, one of the first boxes I attempted was “Lame”. This is ranked as an easier system and was a good opportunity to see what the platform had to offer.

Port Scanning

Getting started, I performed an Nmap scan using the -Pn flag, to skip host discovery, and -sV, to enumerate all service version. This provided multiple findings, including an FTP server on port 21 using vsftpd v2.3.4. 
nmap -Pn -sV -T 4 -v 10.10.10.3

Nmap scan report for 10.10.10.3
Host is up (0.018s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

vsftpd 2.3.4

From previous CTF’s, I knew this version has a known backdoor. I quickly checked the exploit code and saw the service could be exploited by sending a smiley face ":)" as the username value over port 6200. Unfortunately, when attempting to access the port with ncat the connection timed out indicating the service was not vulnerable. 
ncat 10.10.10.3 6200
Ncat: TIMEOUT.

Samba 3.0.20 (Exploitation)

After the first attempt at exploitation, I wanted to learn more about the version of Samba installed as this is another common area of exploitation in CTF style boxes. I went back to Nmap and used the smb-os-discovery NSE script: 
nmap -Pn -sT -p 445 -v --script=smb-os-discovery 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.017s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-01-17T21:04:45-05:00
I searched for Samba v3.0.20 in Exploit-DB and found a 'Username' map script' command execution vulnerability, exploitable with Metasploit. As a left-over habit from my OSCP days, I opted to use a Python exploit instead that required the use of MSFVenom to generate new shellcode for the reverse shell. The changes required are demonstrated in the source code below: Once the shellcode was modified, I setup a netcat listener and launched the exploit. After just a few second a reverse shell was opened as the root user!

Post-Exploitation

Moving into the post-exploitation phase, I spawned a TTY shell to better navigate the system and was able to successfully find both the user.txt and root.txt flags in the following directories: 
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/#
...
root@lame:/# cat /home/makis/user.txt
cat /home/makis/user.txt
744ba248342f3973a17e3e04c65a2bc2
root@lame:/# cat /root/root.txt
cat /root/root.txt
cc7232565601dff9d2d8c67659eacad2

Conclusion

The Lame system was a fun "quick-win" and I'm excited to keep hacking in the environment. I plan to use HTB for continued practice and as a stomping ground for new tools. Thanks for reading and stay tuned, hoping to release a lot of new content in 2021 :)