Hack The Box - Lame

DISCLAIMER: I am not an expert penetration tester.

For all thoughts, opinions, insights, tools, techniques, tactics, hashtags mentioned below, do verify with industry standard resources and references.

Methods below are for educational purposes and should not be used outside of a practice lab environment or without the express written consent and authorization of all parties involved.

This is my journey to develop as a pentester, internalize methodologies, and attempt to give back to the infosec community by teaching what I learn along the way.

Let's go!

Name: Lame
OS: Linux
Difficulty: Easy
Release: 14 Mar 2017
IP: 10.10.10.3

Hacker Status: Noob

Scanning

Start off with an Nmap scan of the target virtual machine to discover any open ports and services running:

'nmap -A 10.10.10.3'

From the Nmap scan results we can see that ports #21, #22, #139, and #445 are open, along with service information.

Enumeration

Going down the list, let's start with open port #21 [ftp - vsftpd2.3.4]. From the Nmap scan results above, we can see that 'Anonymous FTP login' is allowed.

FTP is a file transfer protocol used for the transfer of computer files between a client and server on a computer network.

Let's connect to the target machine with FTP, login with anonymous credentials, and view the directory listings:

'ftp 10.10.10.3'

'anonymous'

'[blank]'

'ls -al'

From the directory result listing, we don't see any files available. Even after changing to the root directory we still don't see any files available.

Let's see if there is further information on the FTP service running by searching 'vsftpd2.3.4' on Google.

Our first result is a Rapid7 VSFTPD v2.3.4 Backdoor Command Execution exploit, which usually does the trick because Rapid7 exploits are typically exploit modules in Metasploit. BUT, if we look closer we see that the backdoor was removed on 7/3/11, only 3 days after the exploit was introduced and well before our target virtual machine was created.

Let's go back to our Nmap scan results.

Port #22 [OpenSSH 4.7p1] is typically open on most Hack The Box virtual machines, so this isn't our highest priority at the moment.

Let's instead look at ports #139 and #445 which both appear to be running a 'Samba' service. The Nmap scan results don't give us specific SMB service version information, so let's enumerate further with smbmap:

'smbmap -H 10.10.10.3'

smbmap allows us to enumerate samba share drives across an entire domain. From the results we can see an 'ADMIN$' share drive with 'NO ACCESS' and SMB version 'Samba 3.0.20-Debian'.

Naturally, with new service information we do a quick search and find a Rapid7 command execution exploit for Samba versions 3.0.20 through 3.0.25rc3.

This appears to be a match made in heaven, let's boot up trusty 'ol Metasploit and give it a go!

Exploitation

Open Metasploit. Type:

'use [exploit]'

'show options' [to show module configuration options]

'set RHOST' [set the remote host to the target IP]

and 'run' to initiate the exploit module.

From the results we can see that a reverse shell from our target machine was received onto our host machine creating an open command shell session. Use 'shell' command to create an interactive shell. Then validate root user with 'whoami' command.

As always, traverse to user and root directories to pick up flags.

Lame.

Aptly named.

interested in actively following along? Check out the Hack The Box invite code challenge :)