menu

HackTheBox: Lame - Writeup

  • date_range 20/04/2019 05:30 info
    sort
    htb
    label

HackTheBox: Lame was a really simple machine which only took a few minutes to get into. This was my first HTB machine i did.

1.1 Enumeration


I first started by doing a port scan of Lame (10.10.10.3).

nmap -sV -A -Pn -oN lame-scan 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.032s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h56m15s, deviation: 0s, median: -2d23h56m15s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-04-13T13:00:18-04:00
|_smb2-time: Protocol negotiation failed (SMB2)


Straight away i can see from experience that FTP and SMB are vulnerable. vsftpd 2.3.4 and samba 3.0.20 are vulnerable to command execution.



A quick searchsploit shows a command execution exploit for Samba 3.0.20.

2.1 Exploitation


The exploit is opened and executed in metasploit which is successful.



The exploit gives us root access which means both flags can easily be retrieved without privilege escalation.

3.1 Getting the flags


The flag is easily found by going into the root directory and viewing the flag.