1 min to read
HTB - Lame Writeup
- Box: Lame
- Difficulty: Easy
- Points: 20
- Release: 14 Mar 2017
- IP: 10.10.10.3
Initial Enumeration
1. Nmap Scanning
Starting with a scan of the target ip address:
nmap -sC -sV -oA lame.nmap 10.10.10.3
The nmap scan shows a vsftpd FTP server that is allowing anonymous connections. We also see port 22 and 445 open indicating there may be some network shares available for us.
2. FTP Enumeration
We can see the vsftpd version is 2.3.4 which is extremely outdated. We can also see that there is a metasploit module for this version. However, that isn’t exploitable in this instance.
3. SMB Enumeration
We can run smbmap to see if we have access to any network shares. The scan shows we have read/write access to the tmp share. After connecting to it with smbclient we don’t find anything of interest.
smbmap -H 10.10.10.3
Our earlier nmap scan indicates the smbd version is 3.0.20, which is also outdated and has exploits available. Conveniently, metasploit also has a module for this.
Exploitation
4. Smbd 3.0.20 Exploit
Load up metasploit and simply load up the exploit for this version of smbd. Once the target is set and exploit is run, we have a root shell. Super simple.
msf > use exploit/multi/samba/usermap_script
msf > set RHOSTS 10.10.10.3
msf > run
