Lame

Simple Linux machine with Samba exploit using Metasploit.

This box can be found HERE.

Nmap

Initial nmap scan:

nmap -p- -Pn $IP --min-rate=5000
nmap scan result
...
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

SMB port 445 seems open. Let's scan this port further.

nmap -p 445 -A -sV -Pn $IP
nmap SMB scan result
PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
...

We have Samba version 3.0.20. After searching Exploit DB, it looks like it is vulnerable to CVE-2007-2447. Also, the Exploit DB page tells us the exploit is available in Metasploit.

Metasploit

I will open Metasploit and use this exploit.

using the exploit in Metasploit

I will then configure my options and run the exploit.

running the exploit

And we directly have a root shell!

Getting the flags

There is not much else to do now apart from finding the flags. After a bit of searching I found the user flag in /home/makis and the root flag in /root (obviously).

finding the flags

And we have both flags! 🚩🚩

PreviousLazy AdminNextJerry

Last updated