Lame – Hack The Box


Since this is the first machine for this journey, let’s that by downloading the OpenVPN configuration from HTB and creating a quick alias to connect (I will be using Kali Linux by the way, not the integrated Pwnbox):

$ echo "alias htb='sudo openvpn /home/kali/VPNs/htb.ovpn'" >> ~/.zshrc (or ~/.bashrc)

Logout / Login and then:

$ htb

Let’s start with a plain nmap:

$ nmap
Starting Nmap 7.93 ( ) at 2023-01-08 04:22 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from icmp_seq=2 ttl=63 time=22.6 ms

Which is immediately lying that the machine doesn’t respond to ping. You need to add the -Pn flag to scan a machine that doesn’t “respond to ping”:

$ nmap -Pn
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

It seems the machine has SMB shares, let’s enumerate them:

$ smbclient -L
Password for [WORKGROUP\kali]: (empty)
Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk      
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server                   Comment
---------                   -------
Workgroup            Master
---------                   -------

“oh noes!”? lol. Lame, I guess? Let’s see what we find in tmp:

$ smbclient \\\tmp 130 ⨯
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Sun Jan 8 04:31:20 2023
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sun Jan 8 04:20:46 2023
vmware-root DR 0 Sun Jan 8 04:21:13 2023
.X11-unix DH 0 Sun Jan 8 04:21:12 2023
.X0-lock HR 11 Sun Jan 8 04:21:12 2023
vgauthsvclog.txt.0 R 1600 Sun Jan 8 04:20:44 2023
5574.jsvc_up R 0 Sun Jan 8 04:21:50 2023

7282168 blocks of size 1024. 5386552 blocks available

Of these files, only vgauthsvclog.txt.0 and .X0-lock are downloadable, and they contain no valuable information. None of the other shares seems to be useful either. Maybe we need to find some credentials first.

The other open services did not accept connections without credentials either. However, I noticed generally outdated software running. Let’s do a deeper scan and see if there is a vulnerability we can find:

$ sudo nmap -Pn -script vuln,default -p21,22,139,445 -sV -O

It turns out Samba 3.0.20-Debian is vulnerable to CVE-2007-2447. Use the Metasploit framework and apply the multi/samba/usermap_script module:

cat /root/root.txt
cat /home/makis/user.txt

There are a few more interesting paths on this machine. My guess is there is more than one way to the flags, but I will leave this up to you to explore!

So what did we learn from this machine? Sometimes a host is so open you don’t know where to start =).

PS: Γεια σου Μάκη!

1 thought on “Lame – Hack The Box”

Leave a Comment