Hack The Box :: Lame

Lame info card

Quick Summary

With Lame being my first box of choice to tackle, I found it pretty simple to pwn. Georgia Weidman’s Penetration Testing: A Hands-On Introduction to Hacking (Georgia Weidman) definitely made pwning this box a breeze.

Lame is an easy Linux based hack the box machine lab. This box was a great introduction to how Hack The Box machine labs works. It had a few openned ports that were easy to utilize as a beginner, such as port 21: ftp, port 22: ssh, and port 445: smb.

Nmap

What you see is a very typical scan.

Note: Be cautious when using -sC, some of the scripts used are considered intrusive, ensure you have permission first before using it on a target.

nmap scan

Running this scan we can see 4 open ports:

FTP

If you noticed the results of the nmap scan, it says: ftp-anon: Anonymous FTP login allowed. This says that we can ftp into the box using the credentials: anonymous:anonymous.

ftp

Here we were able to successfully log into the server using ftp. Sadly, there was nothing we can do in here. Upon gaining access, I use basic unix commands, such as ls to check if we are able to see listing of files, cd to see if we can change directories.

SSH

Next we try accessing the server using ssh. Typically this usually doesn’t work, but it’s always worth a try to guess the password. You never knew, you might just get lucky… ;)

ssh

SMB

Little to no success using ftp and ssh, its always good to check what you can and cannot access. By ftping and not being able to see current file listings or changing directories tells us something is blocking us from accessing the folders.

If you recall from the scan, there were 2 Samba ports open - port 139 which is used for Windows computers on the same network, and port 445 which is more common today because it allows Samba to work over the internet.

But the one were focusing on is port 445 that specifically says: Samba smbd 3.0.20-Debian. This gives us the version of Samba that is running on the box. This is perfect because with some googling we can see that this version of Samba is vulnerable to a command execution attack. Knowing this we can execute arbitrary commands because no authentication needed.

Metasploit

samba usermap script

Here, we use the most popular tool for exploiting vulnerabiities Metasploit (yay!). Once again, thanks to Georgia Weiman’s awesome book (sorry I can’t stop praising the book, it’s just so damn good), we can use what we’ve learned and search for Samba and the version nmap was so kindly to provide earlier.

As you can see Metasploit has the usermap script to exploit Samba at #14.

Exploiting

Using basic Metapsploit commands, we use the use command to set the exploit, use set command to set the RHOST to the targetted box to exploit, and use the exploit command to exploit the vulnerability.

smb exploit

Voila! With success, we are finally in the machine!!

Pwned

Here we can see who we are, and what folders are listed.

lame folders

One folder that caught my eye immediately was the root folder.

Root Flag

Changing directories into the root folder, we were able to see a root.txt file.

root flag

And what do you know, using the unix command cat we were able output the root flag.

User Flag

Going into the home folder, we can see a few folders in here, but if we change directories into the makis folder we can see the user.txt file.

user flag

Using the unix command cat we can then see the user flag as well

Conclusion

This was a super easy box, but with it being my very first, I had a lot of fun attacking it and doing writing a write-up for it. It definitely gives me motivation to pwn more boxes and doing more write-ups.

With that being said, I’m on to the next box… You can expect a write-up for Blue next.