Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. Lame is the first machine published on Hack The Box and best for beginners, requiring only one exploit to obtain root access.
We will use the following tools to pawn the box on a Kali Linux box.
Step 1 – Scanning the network
As an initial step, before you exploit the machine, it you need scan and investigate.
This is important to determine what hackers can exploit afterwards. It is always better to spend time on this phase to extract maximum informatio.
Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sV -sC -A 10.10.10.3
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.3: IP address of the Lame box
We can see that there is 4 open ports:
Port 21. File Transfer Protocol (FTP) control (command) where anonymous FTP login allowed.
Port 22. TCP
Port 139. netbios-ssn samba
Port 145. netbios-ssn samba
Box is samba vulnerable.
Step 2 – The Vulnerable samba
We will use Searchsploit to check if there’s any known vulnerability on samba 2.3.0. Searchsploit is a command line search tool for Exploit Database
I use the following command
searchsploit samba 2.3.0
It is found that there is a vulnerability – Backdoor Command Execution – let’s try to exploit it
As it is ruby based, Metasploit is used. It’s a penetration testing framework that makes hacking simple. It’s an essential tool for many attackers and defenders.
samba
We can see there are several different exploits and axillaries. However, we are interested in 14, as that is what searchsploit gave us.
exploit/multi/samba/username_script
Following command is used for the exploit
use exploit/multi/samba/username_script
This will launch the exploit. This command displays the available options.
show options
You can see that the remote host (RHOSTS) is not yet set. RHOSTS will be the victim.
Following command sets the remote host using the IP address of HTB Lame box
set RHOSTS 10.10.10.3
The exploit can be run now.
Bingo! A command shell opened. Let’s see what we can be find 🙂
Step 3 – Looking for the root.txt flag
Following command is used to list all the files/folders
ls
Let’s move to the home folder and see what we can find.
cd home
To open an interactive python shell the following command is used.
shell
To check the location, following command is used.
pwd
Shell is opened. We find the root directory.
To read the content of the file the following command is used.
cat root.txt
Step 4 – Looking for the user.txt flag
Now look for flag user.txt
Get back to the root directory.
cd home
We found the user.txt file in makis folder! To read the content of the file following command is used.
cat user.txt
Congrats! You found both flags!