Hack The Box :: Lame
With Lame being my first box of choice to tackle, I found it pretty simple to pwn. Georgia Weidman’s Penetration Testing: A Hands-On Introduction to Hacking (Georgia Weidman) definitely made pwning this box a breeze.
Lame is an easy Linux based hack the box machine lab. This box was a great introduction to how Hack The Box machine labs works. It had a few openned ports that were easy to utilize as a beginner, such as port 21: ftp, port 22: ssh, and port 445: smb.
What you see is a very typical scan.
- -sT : is a “TCP Connect Scan”, that asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
- -sV : is a “Version Detection Scan”, that attempts to detect the version of the service running on the port
- -sC : is a “Script Scan”, that uses Nmap Scripting Engine (NSE) to perform a script scan using the default set of scripts.
- -oN : outputs the scan into a normal file (.txt), here I specify .txt format because its a force of habit, but you don’t need to do that. Doing this we can easily access the scan results instead of running the scan again.
Note: Be cautious when using -sC, some of the scripts used are considered intrusive, ensure you have permission first before using it on a target.
Running this scan we can see 4 open ports:
- Port 21: ftp
- Port 22: ssh
- Port 139: Samba smbd (allows Windows computers to talk to each other on the same network)
- Port 445: Sambd smbd (allows smb to work over the internet)
If you noticed the results of the nmap scan, it says: ftp-anon: Anonymous FTP login allowed. This says that we can ftp into the box using the credentials: anonymous:anonymous.
Here we were able to successfully log into the server using ftp. Sadly, there was nothing we can do in here. Upon gaining access, I use basic unix commands, such as ls to check if we are able to see listing of files, cd to see if we can change directories.
Next we try accessing the server using ssh. Typically this usually doesn’t work, but it’s always worth a try to guess the password. You never knew, you might just get lucky… ;)
Little to no success using ftp and ssh, its always good to check what you can and cannot access. By ftping and not being able to see current file listings or changing directories tells us something is blocking us from accessing the folders.
If you recall from the scan, there were 2 Samba ports open - port 139 which is used for Windows computers on the same network, and port 445 which is more common today because it allows Samba to work over the internet.
But the one were focusing on is port 445 that specifically says: Samba smbd 3.0.20-Debian. This gives us the version of Samba that is running on the box. This is perfect because with some googling we can see that this version of Samba is vulnerable to a command execution attack. Knowing this we can execute arbitrary commands because no authentication needed.
Here, we use the most popular tool for exploiting vulnerabiities Metasploit (yay!). Once again, thanks to Georgia Weiman’s awesome book (sorry I can’t stop praising the book, it’s just so damn good), we can use what we’ve learned and search for Samba and the version nmap was so kindly to provide earlier.
As you can see Metasploit has the usermap script to exploit Samba at #14.
Using basic Metapsploit commands, we use the use command to set the exploit, use set command to set the RHOST to the targetted box to exploit, and use the exploit command to exploit the vulnerability.
Voila! With success, we are finally in the machine!!
Here we can see who we are, and what folders are listed.
One folder that caught my eye immediately was the root folder.
Changing directories into the root folder, we were able to see a root.txt file.
And what do you know, using the unix command cat we were able output the root flag.
Going into the home folder, we can see a few folders in here, but if we change directories into the makis folder we can see the user.txt file.
Using the unix command cat we can then see the user flag as well
This was a super easy box, but with it being my very first, I had a lot of fun attacking it and doing writing a write-up for it. It definitely gives me motivation to pwn more boxes and doing more write-ups.
With that being said, I’m on to the next box… You can expect a write-up for Blue next.