Note: If following along, this guide assumes that the reader has set up a Kali Linux installation with all default tools, and is connected to the HTB network with the proper OpenVPN configurations.
The box is running an outdated version of SMB, which can be exploited for quick root access with a Metasploit module.
Step by Step
We’ll start with the standard nmap “widescan”:
nmap 10.10.10.3 -o widescan.txt -p- -T5. This will show what ports are open, the output of which we’ll use in our “deepscan”.
With this knowledge, we’ll move on to the deepscan:
nmap 10.10.10.3 -p 21,22,139,445,3632 -o widescan.txt -A -T5. I learned this tiered approach to running scans from The Cyber Mentor, another great resource for beginners in Pentesting.
The thing to pay attention to here are the two lines that shows
smb-security-mode: 2.02, with
message signing: enabled but not required. This machine is running an old and misconfigured version of SMB, which we’ll use to get our shell.
Here, I’m going to use a bit of cheaty extra knowledge – I know this is the simplest machine on the Hack The Box network, so I’ll attempt some SMB attacks before I work to enumerate further. I’ll load up metasploit by entering
msfconsole, and then run
search samba to get some easy options.
I’ll try the
multi/ options first- we’ll use the
exploit/multi/samba/userman_script module here. A few commands:
use exploit/multi/samba/userman_script, then enter
options to see what needs to be set what way. Looks like just the host- enter in
set RHOSTS 10.10.10.3 to get that set, then type
run to run the exploit.
Luckily for us, this exploit spawns us in with root access in a stable-enough shell, so there’s no need for further privilege escalation. We’re now free with our root shell to grab the flags.
Thank you for reading my guide! I hope it was helpful. I’ll have more coming soon.