Are you ready to hack the box Lame!
This is one of the best boxes, for anyone who is new, hasn’t done a box before, or even really done any hacking before.
This serves as a great box for new people, because of how incredibly simple it is to exploit and gain a root shell. If you are new please know that this is very simple and is designed to help get you familiar with using metasploit.
So to start off this box, If we go back to my Recon with Nmap post, we will be running these initial scans to figure out what is running on this port. Pretty much all we know is the IP: 10.10.10.3 and we also know from looking at the box, the name: Lame, and the OS: Linux
nmap -Pn -p - -oN fullport 10.10.10.3
So I like to start off with a full port scan on this host just so I don’t miss anything running on this host. Taking a look at the output we see 5 ports that are open.
- Port 21 – OPEN – FTP
- Port 22 – OPEN – SSH
- Port 139 – OPEN – netbios-ssn
- Port 445 – OPEN – microsoft-ds
- Port 3632 – OPEN – distccd
Now this really only tells us what is running on the machine, It doesn’t give us any additional information to go off, so let’s further enumerate this box, and run the rest of our scans.
nmap -Pn -sV -oN svscan 10.10.10.3
So now we can see what versions are running for these services, Notice that in this scan it did’t do anything for Port 3632, and that is because it isn’t in the default nmap scan of top 1,000 ports. if you wanted to scan for this one also all you have to do is specify the ports with a similar scan.
nmap -Pn -p 21,22,139,445,3632 -sV -oN svscan 10.10.10.3
The -p option specifies the port you want to scan, if I only did -p 3632 it wouldn’t scan the other ports.
- Port 21 – OPEN – ftp – vsftpd 2.3.5
- Port 22 – OPEN – ssh – OpenSSH 4.7p1
- Port 139 – OPEN – netbios-ssn – Samba smbd 3.x – 4.x
nmap -Pn -sV -sC -oN scscan 10.10.10.3
So now I am going to run nmap default safe script scan by using the -sC in conjunction with -sV. This is super beneficial as it checks if these services are properly configured. As we can see, Port 21 – ftp is open to anonymous login. So lets check that out.
So using the command ftp 10.10.10.3 it asks for a name, which we will give it the name anonymous, and for the password just press enter. Now the first thing is to check which directory we are in using pwd, which shows us that we are in the / or root directory of ftp. using ls -la we see that there is nothing here. So ftp doesn’t do us any good in this case.
We never got an exact version for Samba, so let’s see if we can obtain that.
smbclient -L 10.10.10.3
Using smbclient we can see the version of Samba. the -L lists the files on smb if you were curious. So lets open metasploit using the following command: sudo msfdb run
now once metasploit is up, we are going to search for the service versions, and see if there are any metasploit modules for this.
Finding the right module to use can be tricky when your first starting out. but if you read carefully, it does explain itself. Here we can see on line 14, the line that I have highlighted. it says exploit/multi/samba/usermap_script the date when it was published, which we can cross check with when this version of samba was published. and than a description of what it does.
So lets use this and see what we get!
So now that we have the exploit loaded and ready to be used we need to configure it.
- options – shows the things we need to modify to make this exploit work
- rhosts – is your target host IP
- rport – target port, we will keep this default, but remember there is another samba client running on port 445, which we can also try if the default port doesn’t work.
- set rhosts 10.10.10.3 – will set the exploit to target are host.
Now that’s all we need to set for this exploit. So to execute the exploit we can either type in run, or exploit.
So now we have a shell, so lets figure out who we are a shell as. using the command: whoami we can see we are root! lets see where we are on this shell using the command pwd: / which means we are in the root directory!
This is awesome! we are now root on this box, so lets get the user and root flag!
There is a user in the home directory called makis, which contains are user.txt file we are looking for! Cat that file and you have your user flag!
Now to get are root flag, lets go back a few directories and go into the root folder, and inside here we can see root.txt! cat it and you have your root flag!
Congratulations! You have now gotten root own over the box Lame!