HackTheBox: Lame

Walk-through

Hey guys, this time I’ll root Lame from Hackthebox which is a rated as Easy Linux machine.

Without a further ado, let’s exploit.

Initials:

export IP=10.129.99.7

port scanning

rustscan -a $IP --ulimit 5000 | ports.txt

Got three open ports i.e., 21 (ftp), 22 (ssh), 139 (samba)

rustscan results

nmap

nmap -sC -sV -p21,22,139 -oN namp $IP -Pn

nmap results

Exploit

FTP

I found that anonymous login allowed in FTP, so I logged in in ftp service

ftp $IP

but there was no files.

Later I checked for the vsftpd 2.3.4 exploit and found one Exploit named “backdoor”. I used Metasploit and other scripts but failed to get a session/shell.

failed to exploit FTP

Later I found in module description

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Samba

Since FTP exploit didn’t work and I don’t have ssh credentials, I went for samba. There was one writable share name tmp whose some files are not accessible.

smb shares

Found the exploit for samba named “username map script” command execution

I got the exploit script from GitHub and modified the payload (and added some tweaks XD).

Syntax for the script was

./username.py <rhosts> <rport> <lhost> <lport>

→ Start the listener

→ ran the script

and got the shell as root. There was no need for PrivEsc (:

Proof

user and root.txt

Outro

That’s all for this machine, we’ll meet in next blog. Till than, Happy Hacking o7