1 min to read
Lame | Hackthebox write up
Brought to you by:
@SpengeSec on twitter`
Today we’re going for a quick and easy root, I’m starting this series of OSCP like boxes as a prep for my road towards OSCP Certification.
Start by editing /etc/hosts
Like always we add the IP(10.10.10.3) of the box to our hosts file as (possible) domain lame.htb
NMAP ~ Enumeration
To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script.
But a nmap -p- -sT -sV -sC -oN initial-scan lame.htb, gobuster & nikito will be sufficient too.
You can find the script i use here: click
Interesting result Samba 3.0.2, lets look into it!
searchsploit samba lists a Unauthenticated Usermap exploit for SMB 3.0.2
Metasploit ~ Exploitation
We use msfconsole to run the exploit we found with searchsploit specifically crafted for metasploit(msf).
Begin by typing a show options, this lists only the RHOST and RPORT option to be set. We can go ahead and set the RHOST
We set the target host (RHOST) to 10.10.10.3
And run the exploit
We are greeted with a shell, and a quick whoami shows us we are root!
Getting the flags
I’ve made use of the find command to quickly find the flag files located on the system.
Finding where the user flag is stored
& Cat’ing the contents of this file
And we do run the same find command to locate the root flag file, and use cat to display its contents!