• GroTEK

Lame: Hack the Box Write-Up


Lame is a retired box, rated Easy, that is part of TJNull's list of boxes to use in preparation for the OSCP exam. Though this box is relatively much easier than the other machines on Hack the Box, it is most likely a testament to how the platform has grown over time. Staring with an initial nmap scan for enumeration, we are greeted with the following:

# Nmap 7.80 scan initiated Mon Aug 17 14:54:18 2020 as: nmap -sC -sV -Pn -oN lame.nmap
Nmap scan report for
Host is up (0.033s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h07m33s, deviation: 2h49m43s, median: 7m32s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-08-17T15:02:09-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 17 14:55:14 2020 -- 1 IP address (1 host up) scanned in 56.49 seconds

There's a lot to sift through, but the one that sticks out like a sore thumb is the anonymous FTP login and vsFTPd 2.3.4 in use through that protocol. Doing some information grabbing reveals an exploit that takes advantage of how the application handles special characters, namely the smiley face that Motorola Razr owners all remember fondly - :)

Privilege Escalation

There isn't much more to this exploit than using the MSFConsole, though there are manual exploits floating around on Exploit-DB and on Github repositories. At the time of writing, however, some of the manual exploits were not working due to an upgrade to Python3 and a deprecated smb.Connection module. Opening Metasploit, it's as close to point and shoot as possible; we are greeted with root privileges immediately after running exploit: