HackTheBox Writeup — Lame

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

Since I got VIP Connection few days ago , I am going to solve as many retired boxes as possible and create writeups for each one of them. I hope you enjoy them and dont boast me for it :)

The IP of this box is 10.10.10.3

We see that 4 ports are open , Port 21 running FTP Service version vsfTPD 2.3.4, Port 22 running OpenSSH, Port 139 and Port 445 Samba smbd service

There is a famous exploit for this version of vsftpd on metasploit , we can confirm that by just using the searchsploit query

As we can see that there is a Backdoor Command Execution exploit in Metasploit for this , so we launch metasploit and search for this

We can see that the exploit is located at unix/ftp/vsftpd_234_backdoor

So we now move on to check the options we got to set

We set our RHOST and then ran the exploit command , but it didnt worked as planned… Hmmm!!! Let’s try exploiting this manually

We logged in to FTP and provided our username followed by a smiley “:)” which triggers the backdoor running on vsftpd and provide any password

We then tried to connect through Netcat on Port 6200 to access the backdoor shell , but this seems to not work as shown in above picture.

From the NMAP Scan , we saw that Samba smbd services were running on Port 139 and 445 , let’s try to search for exploits in searchsploit

We see that there are huge loads of exploits which are accessible through Metasploit too , so we move onto using the famous Usermap script Code Execution

We spawn our msfconsole again and use the multi/samba/usermap_script

Looking to the options , we just have to specify our RHOST

All set done and we are ready to exploit using exploit command

Ok , this time this exploit worked and we got command shell executed , so we ran id and whoami command and saw we directly got root access without having a tension to privelege escalation , lame , ain’t it?

Since our shell isnt looking perfect , so we spawn a tty using python

Here we have our TTY and we are ready to get the flags , the user flags as we know as usually located under the home folder of the user as user.txt

The Root Flags are located under /root/root.txt

So here we completed the box , and this was the easiest and first ever box in HTB as per my guess , I hope to complete more and more retired boxes before my VIP Connection gets expired

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover