# Lame #### Sobre esta maquina: HTB Sistema Operativo: Linux **Skills Usados**: * Samba 3.0.20 < 3.0.2 Command Execution Metodologia: Escaneo inicial de reconocimiento con nmap: ``` // ❯ nmap -T4 -sS -Pn -p- --open -n 10.10.10.3 -oN first_scan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 19:29 EDT Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 12.45% done; ETC: 19:34 (0:03:45 remaining) Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 48.19% done; ETC: 19:33 (0:01:45 remaining) Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.62% done; ETC: 19:32 (0:00:15 remaining) Nmap scan report for 10.10.10.3 Host is up (0.16s latency). Not shown: 65530 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3632/tcp open distccd ``` Hacemos Escaneo de versiones y ejecucion de Scripts especifico en los puertos abiertos: ``` // ❯ nmap -T4 -sS -Pn -p21,22,139,445,3632 -sVC -n 10.10.10.3 -oN sV_scan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-04 19:34 EDT Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.86% done; ETC: 19:35 (0:00:00 remaining) Nmap scan report for 10.10.10.3 Host is up (0.16s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.3 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status |ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) | 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |smb2-time: Protocol negotiation failed (SMB2) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported | message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2025-05-04T19:35:17-04:00 |_clock-skew: mean: 2h00m12s, deviation: 2h49m45s, median: 9 ``` El puerto 21 tiene el ingreso anonimo permitido asi que ingresamos: ``` // ❯ ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:guerrerove): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` Intentamos ejecutar comandos pero no nos permites, buscaremos vulnerabilidades con searchsploit: ``` // ❯ searchsploit vsftpd 2.3.4 Exploit Title | Path vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb ``` Conseguimos estas vulnerabilidades así que intentamos explotarlas: Intentamos usar el primer script pero después de un largo rato no funciono, asi que ejecutaremos el modulo en metasploit.

No tuvimos exito con el primer exploit encontrado.

Tampoco tuvimos exito con Metasploit, intentaremos con otro puerto, esta vez nos enfocaremos en SMB: ``` // ❯ searchsploit samba 3.0.20 Exploit Title | Path Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ``` Ejecutaremos el modulo en Metasploit:

Seleccionando el nuevo Modulo conseguido.

Funciono el modulo y estamos en la maquina como root, buscamos las Flags: ``` // script /dev/null -c bash root@lame:/home# ls ftp makis service user root@lame:/home# cd user root@lame:/home/user# ls root@lame:/home/user# cd .. root@lame:/home# cd makis root@lame:/home/makis# ls user.txt root@lame:/home/makis# cat user.txt 3493cdfeea702375fa941436919261ff Ahora buscamos la flag de ROOT: root@lame:/home/makis# cd /root root@lame:/root# ls Desktop reset_logs.sh root.txt vnc.log root@lame:/root# cat root.txt 1737d3800272587a93dd1a30147b983c ``` Y así dariamos por terminada la maquina Lame. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://henrys-writeups.gitbook.io/owo/maquinas-vulneradas/hackthebox/lame.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.