LAME HTB(10.10.10.3)

Summary: Its a very simple box and also a very god box for those who are new to the HTB. We need some tools to owned this box such as Nmap, searchsploit, and Metasploit.

Step1: Enumeration:

First I run a Nmap command to collect some info about this box

nmap -sV -sC -A -O 10.10.10.3

Here we can see that ports 21,22,139, and 445 are open. But the thing to notice here is that it is using vsftpd 2.3.4 which is exploitable to “Backdoor command execution”. Alternatively we can also check this by running command:

Step2 : Digging

searchsploit vsftpd 2.3.4

Now it seems like we can easily owned this box by open metasploit and search for this exploit. We have to only set RHOSTS to 10.10.10.3 and shoot the run/exploit command to get a meterpreter shell.

But this doesn’t work as it shows “no session created” So I noticed that this machine is also using port number 139 which is for Samba and with the help of intensive search on Zenmap it get a samba version which is 3.0.20.

Step3: Getting a shell

This samba version is vulnerable to “Username map script command execution”, so I again use metasploit to get a shell.

#search samba 3.0.20 and I get this above result, out of 26 result we have to use 14 and set RHOSTS to 10.10.10.3 and exploit

This time I get a shell on this machine and easily find user.txt under the folder “makis” and for the root flag /root/root.txt. We dont require priv escalation for the root flag because we already logged in as root.