Hack the Box – Lame
The “Lame” box was categorized as a easy-intermediate box, so I decided that it would be next on my list.
I found it to be fairly easy, giving it a 2 out of 10 for difficulty.
Data Given: IP: 10.10.10.3 OS: Linux
I first pinged the host and confirmed that it was up. I then ran the following nmap scan for a general sweep of what ports were open. I do these types of scans to find any low hanging fruit that may be there.
nmap -sS -sC -sV -T4 10.10.10.3
Okay, so we have a few things that look interesting. The out of date vsftp & samba are probably how we want to get in. I looked around online for the samba version as I think I had heard of a large exploit for that recently. Luckily, rapid7 had a module at the top of my search.
The version that it was reporting was “3.0.20” which correlates with the version that rapid7 reported for the “username map script” RCE.
This module does not support checking so we are going to have to trust that nmap was not lying to us.
It wasn't! Unfortunately, this dropped us into a limited shell. Pentest monkey (http://pentestmonkey.net/blog/post-exploitation-without-a-tty) has a great way to gain a full TTY shell. Since I am comfortable with python, I used the
whereis python command to see if it was installed.
Now that I know it is installed (and I can use it) I run the following command to gain a full TTY shell.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
We are already root so lets grab the flags and move on to the next one.
I did have a trip up when I was initially trying to hack this box. I went for the vsftpd daemon first, but for some reason couldn't get a shell back. I'm going to attribute the name “lame” for that very reason. I liked this one, but I think in the future I am going to stop relying on metasploit so much and try and learn to use python/ruby scripts to send the exploits.