Hack the Box — Lame

HTB Tags: #Internal #Network #SAMBA #RCE #CVE-2007–2447 #PublicVulnerabilities #CVE-Exploitation

As part of my on-going development, I decided that having completed the HTB Starting Point series, I would work my way through the retired easy rated boxes, utilising what I had learnt so far. Lame is the first of these boxes. So let’s get started!

ping

ping $IP -c 4

Now we have confirmation of a steady service we can continue enumeration.

nmap

nmap -sCV -Pn $IP

So from here we can confirm that we have a number of open, workable ports. With the HTB tags indicating RCE and CVE Exploitation, I jumped straight in the deep end and opened up metasploit.

metasploit

As always a great splash screen. So reviewing each of the ports, with 21 first, showing vsftpd 2.3.4, let’s check for exploits.

Looks as though we have selection. Let’s use this and see what it gets us.

Setting the RHOSTS as my target IP we then run the exploit.

Although the exploit completed with no session, we can assume that the vulnerabilty was patched. On to the next one. Let’s look at Samba 3.0.20.

Another with a valid exploit. Let’s select and check/set options.

This time we need to provide our own IP address for a reverse netcat. Once completed we can now run the exploit.

So a session is created this time. Checking some basic commands we find we are root, and therefore have control of the whole box!

whoami
root
pwd
/
ls /home
ftp
makis
service
user
ls /home/makis
user.txt
cat /home/makis/user.txt
3c******************************
cat /root/root.txt
b6******************************

summary

I really enjoyed this box as all the information came from the nmap report. I don’t normally use metasploit but it’s nice to check that I still remember how to use the tool.