HTB — Lame
2024-2-18 20:51:46 Author: infosecwriteups.com(查看原文) 阅读量:14 收藏

First box, first own! not so lame now huh?

Dfaults

InfoSec Write-ups

Photo by Thomas Park on Unsplash

Starting with an Nmap scan we find a few open ports

└──╼ [★]$ nmap -sT -sV -sC 10.129.7.39 -T 4 -p- -Pn

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h30m37s, deviation: 3h32m07s, median: 37s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2024-01-22T20:07:41-05:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 387.32 seconds

We can see an anonymous login on the ftp server so we will see what’s inside and go from there. Once inside we don’t find any files or directories so we quit the session and try looking for another way inside the box.

ftp 10.129.18.117
Connected to 10.129.18.117.
220 (vsFTPd 2.3.4)
Name (10.129.18.117:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>

There is a vulnerability for the FTP server version 2.3.4, which has a Metasploit module and a Python script, so we will try the Metasploit module to get a shell.

This grants a root shell into the machine and obtains both user and root flags. This was a concise machine since it only requires one exploit that is easily searchable with searchploit, or by looking into the Metasploit modules for CVE-2007-2447.


文章来源: https://infosecwriteups.com/htb-lame-13b949b481dc?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh