Lame

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

• Samba 3.0.20 < 3.0.2 Command Execution

Metodologia:

Escaneo inicial de reconocimiento con nmap:

// 
❯ nmap -T4 -sS -Pn -p- --open -n 10.10.10.3 -oN first_scan


Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 19:29 EDT
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 12.45% done; ETC: 19:34 (0:03:45 remaining)
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 48.19% done; ETC: 19:33 (0:01:45 remaining)
Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.62% done; ETC: 19:32 (0:00:15 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd

Hacemos Escaneo de versiones y ejecucion de Scripts especifico en los puertos abiertos:

// 
❯ nmap -T4 -sS -Pn -p21,22,139,445,3632 -sVC -n 10.10.10.3 -oN sV_scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 19:34 EDT
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.86% done; ETC: 19:35 (0:00:00 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
| 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
| message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2025-05-04T19:35:17-04:00
|_clock-skew: mean: 2h00m12s, deviation: 2h49m45s, median: 9

El puerto 21 tiene el ingreso anonimo permitido asi que ingresamos:

// 
❯ ftp 10.10.10.3

Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:guerrerove): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Intentamos ejecutar comandos pero no nos permites, buscaremos vulnerabilidades con searchsploit:

// 
❯ searchsploit vsftpd 2.3.4

Exploit Title | Path

vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

Conseguimos estas vulnerabilidades así que intentamos explotarlas:

Intentamos usar el primer script pero después de un largo rato no funciono, asi que ejecutaremos el modulo en metasploit.

No tuvimos exito con el primer exploit encontrado.

Tampoco tuvimos exito con Metasploit, intentaremos con otro puerto, esta vez nos enfocaremos en SMB:

// 
❯ searchsploit samba 3.0.20

Exploit Title | Path

Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py

Ejecutaremos el modulo en Metasploit:

Seleccionando el nuevo Modulo conseguido.

Asignando Lhosts y Rhosts.

Ingresamos al sistema.

Funciono el modulo y estamos en la maquina como root, buscamos las Flags:

// 
script /dev/null -c bash

root@lame:/home# ls

ftp makis service user

root@lame:/home# cd user

root@lame:/home/user# ls

root@lame:/home/user# cd ..

root@lame:/home# cd makis

root@lame:/home/makis# ls

user.txt

root@lame:/home/makis# cat user.txt

3493cdfeea702375fa941436919261ff

Ahora buscamos la flag de ROOT:

root@lame:/home/makis# cd /root

root@lame:/root# ls

Desktop reset_logs.sh root.txt vnc.log

root@lame:/root# cat root.txt

1737d3800272587a93dd1a30147b983c

Y así dariamos por terminada la maquina Lame.