Lame

#Linux #Enumeration #FTP #SMB

Lame is an easy-rated Linux machine from HackTheBox created by ch4p. This machine has no mystery, which is suitable for practice. In this case, you find something and search for that exploit. In the current post, my IP is 10.10.14.49, and the target’s IP is 10.129.223.149

Gather Information

Local Terminal
nmap -p- --open -T5 -v -n 10.129.223.149 -oG AllPorts
From here, we have FTP, SMB and NetBios Session Service, nothing about a website.

Port 21 Anonymous allowed and the version is included, vsFTPd 2.3.4, perfect, we will search about that. And the port 139 is another SMB but from a different workgroup.

Hey, there is nothing inside!
Look! There is an entrance at tmp, we should use that.
Fail, but this is a client-side error.

And we can’t login with null?

Exploitation

At this point we have the following information, an Port 21 FTP vsFTPd 2.3.4, Port 139 SMB (unknown version) and Port 445 SMB (3.0.20)

  • Search: vsFTPd 2.3.4 exploit

So, those are the instruction.
It doesn’t works, let’s try with other way

At https://www.exploit-db.com/ search for Samba 3.0.20 (Windows issue), and download the exploit from https://www.exploit-db.com/exploits/16320

The exploit only connects to SMB and use a long string as username, and we know that the SMB has an unknown version.
As we can see, the payload is a terminal command, maybe we can change that part to create a reverse shell.
Now your TermA is target root [Root]

As you can see, we are connected as root, so we can get both flags directly.

PreviousIrkedNextMirai

Last updated