Friday, January 4, 2019

Lame


LAME

- Layout for this exercise:




1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Lame, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/






2 - ENUMERATION

- Lame's IP is 10.10.10.3:




- Scanning with Nmap:





3 - EXPLOITATION

- The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the SamrChangePassword function, when the username map script smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the remote printer and file share management.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2447


- Metasploit exploit /exploit/multi/samba/usermap_script allows to take advantage ot that vulnerability:






4 - EXPLOITATION

- Metasploit provides a straightforward exploitation by getting a remote root shell:






- Improving the shell:





5 - CAPTURING THE FLAG

- There are two flags to be discovered.

- First, reading user.txt:




- Decrypting the MD5 string:





- Second, reading root.txt:




- Decrypting the MD5 string: