1. Lame (Easy)
Reconnaisance
When we start of a box we need initial recon to get an idea of what all services or directories are present within the application. Trying to scavange for as much details helps in further exploitation process.
Nmap Scan
Starting of we will first do a ping scan to make sure we can ping our HTB machine to do that we can use the following command
Once we have connection we can proceed with the nmap service scan and all scan it can be done using the following command
We can keep the following information in hand
Recon on port 21
We observe that an FTP port is open. Therefore, we can perform an credential check to determine if it contains any data. We can use the username: anonymous and just type enter in password. To connect to the host, we can utilize the following command:
We see that we are logged in successfully. We can use the ? command to see which commands are accessible and we can use the ls command to list whatever directory or file is available
It seems like there is no files. That means the exploitation might lie within the application itself
Exploitation
With the above information in hand we can see there are two possible application that can have possible exploitation.
FTP [VSFTPD]
Samba [3.0.20]
Vsftpd 2.3.4 Exploitation
We can use searchsploit to check for any exploits that is available for FTP and it can be like this:
We can see that there is a Metasploit exploit for the Vsftpd 2.3.4 version therefore we can use msfconsole to get the exploit.
Within msfconsole type in search vsftpd so it will display all the exploits that is available and we can see that there is an exploit. To use that exploit type in use 1 then it will automatically select the exploit into the console.
Once the exploit is selected we can see that the payload for it is automatically loaded now we will type in show options to check what all options we need to set for the exploit to work.
We can see from the above picture that it requires only the RHOSTS which is the IP address of our box. We can set the RHOSTS by using the following command set rhosts 10.10.10.3 .
After setting the RHOSTS we can confirm that it has been set by running the show options command once again
After it has been confirmed we can run the exploit by using either exploit or run . But on running we can see that this exploit failed as there was no session created.
Samba 3.0.20 Exploitation
Now that the above FTP exploitation failed. We can try if the Samba Application has a possible exploit this can be done by searching for the samba exploit within the msfconsole. On searching we can see that there is an exploit that is available for that particular version.
We can use the exploit by typing in use 0 then type in show options to check what all options do we need to set for the exploit to work. We can also see that the payload has been automatically configured.
We can see that the Exploit needs the RHOSTS [HTB Box] and the LHOST [Our HTB IP Address]. We can fetch our IP Address by checking it within linux by using ifconfig command or ip a We can set the RHOST and LHOST using set RHOSTS & set LHOST respectively. after that we can type in 'show options' to confirm that the LHOST and RHOST has been set. Now if the LPORT is being used then its best to change the LPORT too so that it doesn't conflict with the exploit.
After that we can run the exploit. On running we can see that a reverse TCP handler has been created and we have exploited the system.
Post Exploitation
After running the exploit we can run whoami to see which user we are and in the above figure we can see we are already root user. but we can see that the shell is unstable so we can spawn a tty shell so it gives a CLI interface to work on. There are multiple TTY shells that can be spawned I'll have the reference for it below for the different TTY commands. For now we will be using
To spawn the TTY shell then we can navigate to the /home folder to search for the user.txt file but it seems like its not present within /home/user but when navigating to /home/makes we can see the user.txt flag is present.
After getting the user flag now we can check for the root flag which will be present within the root folder. We can use cat to display what's present.
After submitting the user.txt flag and root.txt flag we have officialy pwned the machine. Congratulatons!
Reference
Last updated