1 min to read

Lame | Hackthebox write up

Featured image

Brought to you by: Spenge @hackthebox.eu
@SpengeSec on twitter`

Today we’re going for a quick and easy root, I’m starting this series of OSCP like boxes as a prep for my road towards OSCP Certification.

Start by editing /etc/hosts

Like always we add the IP(10.10.10.3) of the box to our hosts file as (possible) domain lame.htb

https://i.imgur.com/YHXL2LQ.png

followed by:
10.10.10.3 lame.htb

NMAP ~ Enumeration

To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script.
But a nmap -p- -sT -sV -sC -oN initial-scan lame.htb, gobuster & nikito will be sufficient too.
You can find the script i use here: click

https://i.imgur.com/ZXVzipF.png

Interesting result Samba 3.0.2, lets look into it!
searchsploit samba lists a Unauthenticated Usermap exploit for SMB 3.0.2

Metasploit ~ Exploitation

We use msfconsole to run the exploit we found with searchsploit specifically crafted for metasploit(msf).

Begin by typing a show options, this lists only the RHOST and RPORT option to be set. We can go ahead and set the RHOST and leave the RPORT default,as it uses the default port as shown in our previous nmap results.

https://i.imgur.com/uryexTG.png

We set the target host (RHOST) to 10.10.10.3
And run the exploit

We are greeted with a shell, and a quick whoami shows us we are root!

Getting the flags

I’ve made use of the find command to quickly find the flag files located on the system.

https://i.imgur.com/M2ehSLa.png

Finding where the user flag is stored
& Cat’ing the contents of this file

https://i.imgur.com/xJq5cf9.png

And we do run the same find command to locate the root flag file, and use cat to display its contents!