Hack the Box — Lame

Just another TJ Null box preparing for the OSCP on a Sunday.

Recon

nmap -sC -sV -O -oA nmap/initial 10.10.10.3

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3

nmap -sU -O -p- -oA nmap/udp 10.10.10.3

I use searchsploit to check for exploits for these open ports and services.

I have a feeling it will be something SAMBA related that will work.

Let’s look into that Port 21 vsftpd v2.3.4:

Looks like the first 3 google results show there is a backdoor command execution

Use an NMAP script to see if this will work on this machine

nmap –script ftp-vsftpd-backdoor -p 21 10.10.10.3

Looks like this won’t work

Let’s try that SAMBA thing I was having feelings about 😂

I check searchsploit for samba 3.0.20 and find an exploit BUT its for Metasploit and I want to do this manually for the OSCP so…

We check the actual exploit-db page and find the CVE and maybe I can find a GitHub hosted exploit that I can just configure and run?

Upgrade the shell with:

python -c ‘import pty; pty.spawn(“/bin/sh”)’

SAMBA stuff always seems to be vulnerable in this old retired boxes, so when I see it I will go down that path over something else like ssh
After doing a few of these boxes you realize this formulaic process of recon, enumeration, and exploitation.
The tricky part between enumeration and exploitation is finding dead ends fast, using experience to realize where the real attack point should be, and adjusting exploits in order to gain the position in the machine I’m looking for
From a security perspective, a lot of these vulnerabilities are only possible to exploit because they are running and not being patched
In order to protect from these attacks systems need to know what they have running in their environment and constantly be aware of if they are behind or up-to-date on patches.
Tools like Tenable Nessus can be useful for discovering and working on these remediations but sometimes some manual work needs to be put in if the vulnerability is relatively new