Hack The Box Guide: Lame

Note: If following along, this guide assumes that the reader has set up a Kali Linux installation with all default tools, and is connected to the HTB network with the proper OpenVPN configurations. 

Summary
The box is running an outdated version of SMB, which can be exploited for quick root access with a Metasploit module.

Step by Step

We’ll start with the standard nmap “widescan”: nmap 10.10.10.3 -o widescan.txt -p- -T5. This will show what ports are open, the output of which we’ll use in our “deepscan”.

With this knowledge, we’ll move on to the deepscan: nmap 10.10.10.3 -p 21,22,139,445,3632 -o widescan.txt -A -T5. I learned this tiered approach to running scans from The Cyber Mentor, another great resource for beginners in Pentesting.

The thing to pay attention to here are the two lines that shows smb-security-mode: 2.02, with message signing: enabled but not required. This machine is running an old and misconfigured version of SMB, which we’ll use to get our shell.

Here, I’m going to use a bit of cheaty extra knowledge – I know this is the simplest machine on the Hack The Box network, so I’ll attempt some SMB attacks before I work to enumerate further. I’ll load up metasploit by entering msfconsole, and then run search samba to get some easy options.

I’ll try the multi/ options first- we’ll use the exploit/multi/samba/userman_script module here. A few commands: use exploit/multi/samba/userman_script, then enter options to see what needs to be set what way. Looks like just the host- enter in set RHOSTS 10.10.10.3 to get that set, then type run to run the exploit.

Luckily for us, this exploit spawns us in with root access in a stable-enough shell, so there’s no need for further privilege escalation. We’re now free with our root shell to grab the flags.

Thank you for reading my guide! I hope it was helpful. I’ll have more coming soon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s