Lame is a retired Linux machine that is hosted on Hack the Box. This walk through explains the exploitation without using Metasploit.
Machine: Lame
OS: Linux
IP: 10.10.10.3
Enumeration
A simple bash script that uses Nmap to enumerate the host.
Results
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))
Two useful services with their versions, to consider first → ftp and smb
One thing to note from “Nmap Results” for ftp service is:
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Let’s try and find for something more in ftp.
One last thing to check is Nmap Scripts for ftp.
Nothing seems to fit here.
Let’s try for SMB
One point to consider is the Sharename “tmp”.
But first lets check some Nmap scripts for smb.
Let’s try vuln scripts for smb.
oops! Nothing useful.
Lets try and connect to sharenames.
Nothing Useful :(
but, No need to loose hope.
Let’s find if the versions of the available services are vulnerable.
ftp vsftpd 2.3.4
Samba smbd 3.0.20-Debian
Here we get the Metasploit exploit for Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit)
→ Let’s try to find what CVE is the exploit we found, so that we can search it on Internet.
→ Lets see if the given path /exploits/unix/remote/16320.rb contains the CVE number
Lets search for CVE 2007–2447 exploit
Exploitation
Clone and Follow the steps.
Start nc Listener on one tab.
Fire the Python Script on another.
Go back to the listener , should get access.
Hey there, Root
Go to root directory to find the flag.
This is my first step towards glory.
Henceforth, will be covering all Hack The Box OSCP-like VMs without Metasploit.
