Lame is first box ever created on HackTheBox. It’s Linux-based easy machine created by ch4p.
Since this machine is retired, and only VIP members can access it, I have different machine IP. You can find Machine IP in that machine’s page. For this machine, you need basic Linux knowledge. As always, I first start with network scanning to see which ports are open, service versions etc..
nmap -sC -sV 10.10.10.3
In scan result, we can see FTP details, and anonymous login is allowed. Also, there is also mentioned FTP Version “vsFTPd 2.3.4”. Googling it, I have found – VSFTPD v2.3.4 Backdoor Command Execution, tried to run it but nothing. It might be a rabbit hole. After attempting to enter using the vsFTPd attack vector, Samba becomes the only target. Googling it for exploit, I clicked on first result – Samba “username map script” Command Execution – Rapid7, and it’s exploitable with Metasploit. Also, the exploit version matches with our. So, I’ll run Metasploit console and try this one.
And now, I’ll use search command to find that exploit.
Found it! Let’s use it as exploit:
Now, when we have loaded our exploit, let’s take a look on exploit options with command:
Okay, we have options! Now, let’s set it properly. We have RHOSTS, and there we need to set Machine IP. RPORT we shouldn’t change, it’s set by default on 139. LHOST is our Local Machine IP, actually our VPN Connection IP. You can check it by typing:
Your Local Machine IP (on HackTheBox) should start with 10.10.XX.XX. Now, we can set our LHOST in Metasploit Console to the Local Machine IP:
set LHOST 10.10.XX.XX
Now, let’s set RHOST (Machine IP):
set RHOST 10.129.159.5
And now, let’s try to run it and see what will happen. Use command:
Wait few seconds, and…
And we got it! Now, we can grab our flags and submit it. On HTB Linux Machines, user flag is always in User Directory. (/home/username/user.txt) and root flag is always in Root Directory (/root/root.txt). To get user, get into the /home directory and you can see 4 users there. I have checked all of them, and only user makis have user.txt file. To get root, simply read the file under /root/root.txt.
Thank you for reading this writeup. If you want to support my work: