,I started Hack the Box last month and am working my way through some of the retired machines as well as the active machines. I did Lame today, and it’s almost not worth this write-up as easy it was.
I started off with a basic
nmap scan of the target
10.10.10.3. As can be seen in the below screenshot the machine is running several services: vsFTPd, SSH, SAMBA.
The vsFTPd allows anonymous login, so I checked that out in the file manager on my box and found nothing in the FTP share.
Once I saw that there were no files in the share I shifted gears to SAMBA, for those who are unfamiliar SAMBA it is an open source implementation of Microsoft’s Server Message Block protocol allowing all sorts of sharing between Windows and Linux machines. I then ran
enum4linux and it was only able to effectively enumerate shares that are being shared and not shown a single user
From that point, I googled the samba version running on the server and found an exploit for it on the Rapid7 site. From there I fired up
metasploit selected, the correct exploit and payload and input the
I ran the exploit and once it completed I owned the box with the root account which SAMBA was running under. With a simple
cat command I had the root flag.
From there it was a
find away for the user flag and the box was completely owned.
This box was straightforward in that fact that the service I exploited had an old exploit in
metasploit that is rated with excellent reliability and it ran as
root which then required no further local privilege escalation to find either flag on the box. It is a good box for a beginner to practice on, in my opinion.