🚩
CTFs
  • CTF Writeups
  • 🌧️TryHackMe
    • Simple CTF
    • Pickle Rick
    • Lazy Admin
  • 🧊HackTheBox
    • Lame
    • Jerry
Powered by GitBook
On this page
  • Nmap
  • Metasploit
  • Getting the flags
  1. HackTheBox

Lame

Simple Linux machine with Samba exploit using Metasploit.

PreviousLazy AdminNextJerry

Last updated 1 year ago

This box can be found .

Nmap

Initial nmap scan:

nmap -p- -Pn $IP --min-rate=5000
nmap scan result
...
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

SMB port 445 seems open. Let's scan this port further.

nmap -p 445 -A -sV -Pn $IP
nmap SMB scan result
PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
...

Metasploit

I will open Metasploit and use this exploit.

I will then configure my options and run the exploit.

And we directly have a root shell!

Getting the flags

There is not much else to do now apart from finding the flags. After a bit of searching I found the user flag in /home/makis and the root flag in /root (obviously).

We have Samba version 3.0.20. After searching Exploit DB, it looks like it is vulnerable to . Also, the page tells us the exploit is available in Metasploit.

And we have both flags!

🧊
🚩
🚩
HERE
CVE-2007-2447
Exploit DB
using the exploit in Metasploit
running the exploit
finding the flags