HTB Lame

,I started Hack the Box last month and am working my way through some of the retired machines as well as the active machines. I did Lame today, and it’s almost not worth this write-up as easy it was.
I started off with a basic nmap scan of the target As can be seen in the below screenshot the machine is running several services: vsFTPd, SSH, SAMBA.

The vsFTPd allows anonymous login, so I checked that out in the file manager on my box and found nothing in the FTP share.

Once I saw that there were no files in the share I shifted gears to SAMBA, for those who are unfamiliar SAMBA it is an open source implementation of Microsoft’s Server Message Block protocol allowing all sorts of sharing between Windows and Linux machines. I then ran enum4linux and it was only able to effectively enumerate shares that are being shared and not shown a single user makis.

From that point, I googled the samba version running on the server and found an exploit for it on the Rapid7 site. From there I fired up metasploit selected, the correct exploit and payload and input the rhost and lhost.

I ran the exploit and once it completed I owned the box with the root account which SAMBA was running under. With a simple cat command I had the root flag.

From there it was a find away for the user flag and the box was completely owned.

This box was straightforward in that fact that the service I exploited had an old exploit in metasploit that is rated with excellent reliability and it ran as root which then required no further local privilege escalation to find either flag on the box. It is a good box for a beginner to practice on, in my opinion.

Leave comment

Your email address will not be published. Required fields are marked with *.