Lame | HackTheBox

 

nmap scan

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 01:13 EST

Nmap scan report for 10.10.10.3

Host is up (0.063s latency).

Not shown: 996 filtered ports

PORT    STATE SERVICE      VERSIO

21/tcp  open ftp         

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

| ftp-syst:

|   STAT: | FTP server status:

|      Connected to 10.10.14.1

|      Logged in as ft

|      TYPE: ASCI

|      No session bandwidth limi

|      Session timeout in seconds 300

|      Control connection is plai xt

|      Data connections will be p text

|      vsFTPd 2.3.4 - secure, fas table

|_End of status

22/tcp  open ssh         

| ssh-hostkey:

|   10 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)

|_  204 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

139/tcp open  netbios-ssn?

445/tcp open  microsoft-ds Samba smbd 3.0.20-Debian< /p>

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: WAP|phone

Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded

OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz

OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone

Network Distance: 22 hops

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

 

Host script results:

|_clock-skew: mean: 2h30m21s, deviation: 3h32m10s, median: 19s

| smb-os-discovery:

|   OS: Unix (Samba 3.0.20-Debian)|   Computer name: lame|   NetBIOS computer name: |   Domain name: hackthebox.gr|   FQDN: lame.hackthebox.gr|_  System time: 2020-12-08T01:15:00-05:00

| smb-security-mode:

|   account_used: guest|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)

|_smb2-time: Protocol negotiation failed (SMB2)

 

TRACEROUTE (using port 22/tcp)

HOP RTT      ADDRES

1   63.62 ms 10.10.14.12   ... 2122  63.94 ms 10.10.10.3

 

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 87.65 seconds

Exploitation

 

 Searching exploit for SMB version that is - smbd 3.0.20-Debian

 

Found this exploit - https://www.exploit-db.com/exploits/16320

 

Lets try to run this exploit -

We  got the shell and its direct root shell so we don’t need privilege escalation