HTB - Lame Writeup

Featured image

Initial Enumeration

1. Nmap Scanning

Starting with a scan of the target ip address:

nmap -sC -sV -oA lame.nmap 10.10.10.3

The nmap scan shows a vsftpd FTP server that is allowing anonymous connections. We also see port 22 and 445 open indicating there may be some network shares available for us.

2. FTP Enumeration

We can see the vsftpd version is 2.3.4 which is extremely outdated. We can also see that there is a metasploit module for this version. However, that isn’t exploitable in this instance.

3. SMB Enumeration

We can run smbmap to see if we have access to any network shares. The scan shows we have read/write access to the tmp share. After connecting to it with smbclient we don’t find anything of interest.

smbmap -H 10.10.10.3

Our earlier nmap scan indicates the smbd version is 3.0.20, which is also outdated and has exploits available. Conveniently, metasploit also has a module for this.

Exploitation

4. Smbd 3.0.20 Exploit

Load up metasploit and simply load up the exploit for this version of smbd. Once the target is set and exploit is run, we have a root shell. Super simple.

msf > use exploit/multi/samba/usermap_script msf > set RHOSTS 10.10.10.3 msf > run