HTB LAME

Lame is a beginner friendly machine based on a Linux platform. It was the first machine from HACKTHEBOX.Use the samba username map script vulnerability to gain user and root.

Machine Author: ch4p
Machine Type: Linux
Machine Level: 2.7/10

Tools Need to know:

  • Nmap
  • Searchsploit
  • Metasploit

Learn more about this vulnerability:

IP ADDRESS OF LAME BOX IS : 10.10.10.3

In order to find what services are running in the server.Initially scanning need to be performed

To do this scan NMAP {Network Mapper} is used

NMAP SCAN RESULTS:

Command : nmap -sC -sV 10.10.10.3

NMAP SCAN

Scan results:

INFORMATION GATHERED with nmap scan :

  • We see that 4 ports are open
  • Port 21 running FTP Service version vsfTPD 2.3.4
  • Port 22 running OpenSSH, Port 139 and Port 445 Samba smbd service

Exploiting vsfTPD 2.3.4

There is a famous exploit for this version of vsftpd on metasploit , we can confirm that by just using the searchsploit query

Command: searchsploit vsftpd 2.3.4

Query result:

As you can see there is one exploit in which we can use to gain access to the server by using metasploit

Unfortunately ,the exploit failed every time 🙁

Vulnerable Samba

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames!!

Command:

searchsploit Samba 3.0.20

Result:

Samba Exploit

As you can see there is an exploit available and we can use this to get complete control of the server

Let’s fire up metasploit!!

Command:

  • msfconsole
  • use exploit/multi/samba/usermap_script
  • set RHOSTS 10.10.10.3
  • exploit

As you can see on the above image. Exploit worked and gained complete root access:)

Let’s get the user and root flag in the machine:)

If you like my writeup , Give me Respect on my HTB profile
Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here