HackTheBox - LameJanuary 18, 2021
After getting a HackTheBox VIP subscription, one of the first boxes I attempted was “Lame”. This is ranked as an easier system and was a good opportunity to see what the platform had to offer.
Port ScanningGetting started, I performed an Nmap scan using the -Pn flag, to skip host discovery, and -sV, to enumerate all service version. This provided multiple findings, including an FTP server on port 21 using vsftpd v2.3.4.
nmap -Pn -sV -T 4 -v 10.10.10.3 Nmap scan report for 10.10.10.3 Host is up (0.018s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
vsftpd 2.3.4From previous CTF’s, I knew this version has a known backdoor. I quickly checked the exploit code and saw the service could be exploited by sending a smiley face ":)" as the username value over port 6200. Unfortunately, when attempting to access the port with ncat the connection timed out indicating the service was not vulnerable.
ncat 10.10.10.3 6200 Ncat: TIMEOUT.
Samba 3.0.20 (Exploitation)After the first attempt at exploitation, I wanted to learn more about the version of Samba installed as this is another common area of exploitation in CTF style boxes. I went back to Nmap and used the smb-os-discovery NSE script:
I searched for Samba v3.0.20 in Exploit-DB and found a 'Username' map script' command execution vulnerability, exploitable with Metasploit. As a left-over habit from my OSCP days, I opted to use a Python exploit instead that required the use of MSFVenom to generate new shellcode for the reverse shell. The changes required are demonstrated in the source code below: Once the shellcode was modified, I setup a netcat listener and launched the exploit. After just a few second a reverse shell was opened as the root user!
nmap -Pn -sT -p 445 -v --script=smb-os-discovery 10.10.10.3 Nmap scan report for 10.10.10.3 Host is up (0.017s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2021-01-17T21:04:45-05:00
Post-ExploitationMoving into the post-exploitation phase, I spawned a TTY shell to better navigate the system and was able to successfully find both the user.txt and root.txt flags in the following directories:
python -c 'import pty; pty.spawn("/bin/bash")' root@lame:/# ... root@lame:/# cat /home/makis/user.txt cat /home/makis/user.txt 744ba248342f3973a17e3e04c65a2bc2 root@lame:/# cat /root/root.txt cat /root/root.txt cc7232565601dff9d2d8c67659eacad2