search
gitlabEdit

Lame

Lame - hackTheBox Linux Machine

LogoHack The Boxapp.hackthebox.comchevron-right
HackTheBox Link to Lame Machine

Initial Nmap Scan for the machine/endpoint

The default scan gives no results , using -Pn switch gives FTP, SSH, NetBIOS, and SMB ports, scanning for all ports adds one more open port - 3632 . So we scan all these ports for Service versions.

                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap lame.htb              
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -Pn -p- -T5 lame.htb  
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.050s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Nmap done: 1 IP address (1 host up) scanned in 72.35 seconds
                                                                                                                                                                                                                                              
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -sC -sV -Pn -p 21,22,139,445,3632 -T5 lame.ht
Nmap scan report for lame.htb (10.10.10.3)
Host is up (0.049s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.10
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-05-27T18:44:56-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m42s, deviation: 2h49m43s, median: 41s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.88 seconds

Searching Exploits vsftpd anonymous Login to FTP did not give any results, hence looking at SMBA.

Searching Exploits in Metasploit and setting the options .

Checking the user on Shell session we notice we are now root, so we can read through all the flags , user flag present in makis user directory and root at usual location

PreviousHackTheBoxNextShocker

Last updated