Lame HTB Writeup
Hi Everyone, after a long time I am back on medium . Hope you are doing well. Till now, I completed total 15 machines on HTB which are of ‘very easy’ level of difficulty. Here’s the first writeup on the machine ‘Lame’ which is of ‘easy’ level of difficulty.
Started of by scanning all TCP and UDP port on the target machines.
Considering the TCP and UDP nmap scan results, we now have four ways to enter into the system which are as follows:
- Port 21: File Transfer Protocol (FTP) version 2.3.4 with anonymous login
- Port 22: OpenSSH version 4.7p1.
- Ports 139 and 445: Samba v3.0.20-Debian.
- Port 3632: the distributed compiler daemon distcc version 1.
There were no directories found when I tried connecting using ‘anonymous’ creds. As the nmap scan showed us that the vsftpd 2.3.4 version is in use so searched using ‘searchspolit’ .
The nmap script output shows that the target machine is not vulnerable to this vulnerability. Let’s continue with port 22.
2. Port 22 OpenSSH v4.7p1
Searched for this version of openSSH on google but nothing interesting found so thought to check for Nmap scripts as it contains multiple scripts that can brute force credentials.
After spending a little time on this port, I decided to move to the next port.
3. Ports 139 and 445 Samba v3.0.20-Debian
Let’s use smbclient to access the SMB server where -L switch used to lists what services are available on a server.
Let’s view the permissions on the share drives using below command ‘-H’ is used to specify the host. The output of the below command shows that we have READ/WRITE access on the tmp folder.
After searching about the current smb version I found CVE-2007–2447 which don’t require usage of Metasploit. The issue is with the username field. If we send shell metacharacters into the username we exploit a vulnerability which allows us to execute arbitrary commands. Although the exploit available on exploitdb uses Metasploit, reading through the code tells us that all the script is doing is running the following command, where “payload.encoded” would be a reverse shell sent back to our attack machine.
For samba exploitation, started a netcat listner on my machine on port 1234. To log into the samba system used below command.
Now, it’s time to find root flag. We have seen earlier that there’s a root directory to travrse the directories backword as follows:
Let’s do a root dance. Till then happy hacking :)