Posts Hackthebox Lame
Post
Cancel

Hackthebox Lame

This is the beginning of my journey of doing OSCP preparation. Nowadays, I think it’s time to learn something new. This post provides a walkthrough of the Lame system on HackTheBox. It was the first machine from HackTheBox.

Desktop View

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
kali@0xOE:~/Desktop|⇒ nmap -sS -sC -sV -oA lame 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.25s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.21
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h02m57s, deviation: 2h49m50s, median: 2m51s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-04-03T07:32:08-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr  3 07:29:46 2020 -- 1 IP address (1 host up) scanned in 96.08 seconds

FTP Anonymous Login

I can access the server

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@0xOE:~/Desktop|⇒ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:user): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.

When we use the ls command, nothing shows up. ftp server is empty. After that I use searchsploit command Desktop View It is already in metasploit but this exploit doesn’t working. Desktop View

I turned to other ports. In metasploit , I search Samba 3.0.20 service. Desktop View When I tried it this module. I got root!

Root Desktop View

and these are user and root flags. Desktop View

Desktop View

This post is licensed under CC BY 4.0

Trending Tags

Contents

Trending Tags