Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
Note. Only write-ups of retired HTB machines are allowed.
Lame is the first machine published on Hack The Box and is for beginners, requiring only one exploit to obtain root access.
We will use the following tools to pawn the box on a Kali Linux box
Step 1 - Scanning the network
The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.
This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.
I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here
I use the following command to get a basic idea of what we are scanning
nmap -sV -O -F --version-light 10.10.10.3-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-F: Fast mode - Scan fewer ports than the default scan
--version-light: Limit to most likely probes (intensity 2)
10.10.10.3: IP address of the Lame box
You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
I use a different set of commands to perform an intensive scan
nmap -A -v 10.10.10.3-A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity level
10.10.10.3: IP address of the Lame box
If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports
We can see that there are 4 open ports:
Port 21. File Transfer Protocol (FTP) control (command)
Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
Port 139. NetBIOS Session Service
Port 445. Microsoft-DS (Directory Services) SMB file sharing
Let see what we can get with the first port
Step 2 - The Vulnerable FTP
We will use Searchsploit to check if there's any known vulnerability on vsftpd 2.3.4. Searchsploit is a command line search tool for Exploit Database
I use the following command
searchsploit vsftpd 2.3.4Now that we know that there is a vulnerability - Backdoor Command Execution - let's try to exploit it
We will use Metasploit. It's a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders
I launch Metasploit Framework on Kali and look for command I should use to launch the exploit
I use the command to look for all the payloads available
search vsftpd 2.3.4We can see there are several different exploits but the one we're interested in is number 4
exploit/unix/ftp/vsftpd_234_backdoor
I use the following command for the exploit
use exploit/unix/ftp/vsftpd_234_backdoorThis will launch the exploit. I use this command to display the available options
show optionsYou can see that the remote host (RHOSTS) is not yet set. I will set both the remote host and the target as these two pieces of information are needed to run the exploit
I use the following command to set the remote host using the IP address of HTB Lame box
set RHOSTS 10.10.10.3Then I set the target to 0 as displayed when I checked the options
set TARGET 0We can now run the exploit
Unfortunately we can see that even if the exploit is completed, no session was created. The vulnerability has been patched as mentioned here, in the description of the exploit.
This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.
The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. The aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away
We need to find another way. Let's have a look at another port!
Step 3 - The Vulnerable Samba
If you remember from Step 1 - Scan the network, we found out that port 445 - Samba smbd 3.0.20-Debian was opened. Let's see if we can find any vulnerabilities around that specific version
If you want to learn more about Samba, go here. But a deep knowledge of Samba is not required for that box.
We go back to Searchsploit to check
I use the following command
searchsploit Samba 3.0.20We can see that there's a 'Username' map script Command Execution that we could launch using Metasploit. Let's try it!
Back to Metasploit and checking the command we should use to launch the exploit. I use the following command
search Samba 3.0.20We can see there are several different exploits but the one we're interested in is number 15
exploit/multi/samba/usermap_scriptYou can also find it on the Exploit Database website
The description of the exploit
This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands.
No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
Back on Metasploit where I use the command
use exploit/multi/samba/usermap_script
This will launch the exploit. I use the following command to display the available options
show optionsYou can see that the remote host (RHOSTS) is not yet set.
I use the following command to set the remote host using the IP address of HTB Lame box
set RHOSTS 10.10.10.3We can now run the exploit
Bingo! We have a command shell opened. Let's see what we can find :)
Step 4 - Looking for the user.txt flag
We can now look for the first flag, user.txt
I use the following command to check who am I on that machine
whoamiWe have root access to the machine. We got the power! Let's start navigating the folders
I use the following command to list all the files/folders
lsLet's move to the home folder and see what we can find
I use the following command to change to the home directory, then I list all the files/folders
cd homeWe don't have that much info here, let's be more specific with the command
ls -la
We can see that there's a folder called makis. Let's see what's inside!
We found the user.txt file! To read the content of the file I use the command
cat user.txtNow that we have the user flag, let's find the root flag!
Step 5 - Looking for the root.txt flag
Let's go back to the root directory. I use the command
cd ~
To check where you are, you can use the following command
pwdHere we see that we're at the /root level and if we list the files/folders we find the root.txt file!
To read the content of the file I use the command
cat root.txtCongrats! You found both flags!
Please donβt hesitate to comment, ask questions or share with your friends :)
You can see more of my articles here
You can follow me on Twitter or on LinkedIn
And don't forget to #GetSecure, #BeSecure & #StaySecure!
Other articles in this series
- Keep Calm and Hack The Box - Legacy
- Keep Calm and Hack The Box - Devel
- Keep Calm and Hack The Box - Beep
