Hack The Box — Lame

Lame is a Easy-Medium level Linux machine on Hack The Box similar to oscp.I will be mentioning both ways to get shell- using SMB and Distccd exploit and for the priv esc, i will cover both- using SUID and Dirty cow exploit.

ENUMERATION

We find port 21,22,139,445 and a wierd one 3632 open.There are no http ports.First of all we must try to connect to ftp to see if there are any file however it was of no use.

We can try using searchsploit to find a exploit for the vsftpd service running on ftp and we do find one however it wont work and it is actually a RABBIT HOLE in this box.vsftpd is a famous backdoor in which the user had to put a smiley as a username :) while connecting to ftp(you can google it)

Moreover if we try to check if ftp is vulnerable, using nmap script,it shows us that it is actually not vulnerable as can bee seen below. SO lesson learnt-”never assume things” use nmap script to check if a service is vulnerable or not !

Now lets enumerate ssh using nmap script, and we find noting useful

Now its time to look at SMB services running on port 139,445…we dont find any useful nmap scanning scripts so lets list its shares using smbmap

as we can see,we have read write access on the tmp share

Lets connect to the tmp share and see what files we can download

DO NOTE : If get an error NT_STATUS_CONNECTION_DISCONNECTED in smb, refer to the htb forums as it is very common and i had faced it too.It happens because smb is an outdated protocol-https://forum.hackthebox.com/t/issue-with-lame/2270/4

We do find a few file and use the command mget * to download them all however we find nothing interesting. I tried to upload a random file called nmap.txt and it got uploaded.However when i tried to upload a reverse shell on it, it was not executing.

Lets move on and look for exploits for the version of samba running and we find one called username map script

EXPLOITING SMB

If you look at the first few links, you will find that the exploit is written for metasploit however there was a python version available on github as well.

Exploit Link- https://github.com/v1nc3-source/Samba_3.x_4.x_exploit/blob/main/smb3exploit.py

If we try to run it, we get an error due to an outdated python library however if you read it, it is clearly mentioned that for the username , we have to use

‘/=`nohup followed by a one liner reverse shell (look at the 2nd last line in the image above)

About the Exploit- The issue seems to be with the username field. If we send shell metacharacters into the username we exploit a vulnerability which allows us to execute arbitrary commands.So lets use it

login is just an smb command.If you run the command ”help” you will find that out of all commands we can run,there is one called logon.A simple google search of how to run reverse shell in smb shows us about logon-https://medium.com/@nmappn/exploiting-smb-samba-without-metasploit-series-1-b34291bbfd63

and we finally get a reverse shell as Root user !

EXPLOITNG DISTCCD

This is the quick and easy way.We see a wierd service called distccd running on port 3632 and after a google search we find a few exploits.Thankfully a person has written a python exploit for it and he has even mentioned that this is for “lame” from hackthebox.Even instructions on how to run the exploit were mentioned.What else do we need XD

EXPLOIT LINK- https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855

We run the exploit and get a shell as daemon

Running uname -a shows us the kernel version and immediately i know this s vulnerable to the famous dirty cow exploit.

For deep enumeration, lets transfer and run LINPEAS on the target

running linpeas on target

Here are some critical findings from LINENUM tool

nmap has SUID bit set which can be exploited using GTFO bins

no root squash is enabled (google this for explaination)

PRIVILEGE ESCALATION -using nmap

Lets privilege escalate using Nmap. we run the last command in (b)

and we are root again !!! (

Side Note-I tried no root squash method for priv esc as well however it was not working)

PRIVILEGE ESCALATION -using DirtyCow Exploit

Offensive Security's Exploit Database Archive

Save it as cowroot.c and then compile it in our kali as cowroot

OPTIONAL- it can also be compiled on the target machine as well but we need to use -lcrypt at the end else it throws errors.So just compile and run it

As can be seen above, after running, we can set a password and we set it as 1234 and we also get a username firefart . Now all we have to do is ssh into the user firefart and use the passwor 1234 and we are in!

we are root again !!!

I hope you learned from this writeup.Make sure you follow me here for more such ctf writeups.

CONCLUSION

in this machine we learned that-

• Its very useful to use nmap scanning script to find if the version of a service is actually vulnerable or not.Here ftp was a rabbithole
• we can find exploits online as we did for smb and distccd
• we can get a reverse shell after connecting to smb using the logon command of smb, followed by a reverse shell
• In case of SUID files,we can use gtfo bins for priv esc
• If Linux Kernel is more than 2.6.22 and less than 3.9 it is vulnerable to dirty cow and can also be found using linux-exploit-suggester tool