Walkthrough: LAME [HTB]
Target Machine Information:
— Host Name: Lame
— IP Address: 10.10.10.3
— OS: Linux
Overview
In this walkthrough, I will be showing how to follow a step by step methodology to own a user and root with Metasploit.
Step-1: In the first step we will use Nmap to scan the target for all the open ports, services running on the open ports and OS running on the target machine. It can be done with the following command
nmap -sC -sV -O 10.10.10.3
From the Nmap scan these ports and services are active on the machine:
- Port 21- FTP services running with version vsftpd 2.3.4
- Port 22- SSH service with version openssh 4.7
- Port 139/ 445- SAMBA with version smbd 3.X — 4.X
Step-2: Now that we have this information we will find the exploits for each service.
To find the exploit we can either Google for CVE with the specific version of the service or use the command “searchsploit”
Syntax: searchsploit vsftp 2.3.4
Now we will run the searchsploit command for each service and its version to find the exploit as shown:
As seen above we have found exploits for FTP vsftp2.3.4 and Samba 3.0.20
Step-3: let’s verify each exploits that we found in above step whether any of them is useful to get access to the root user
Firstly, verify for FTP. As we see in the Nmap output that it allows the anonymous login. This means that we will able to login to the FTP server using the username as anonymous and password as empty.
As we see by using the above credentials we can access the FTP server but when we do ls command we are not able to find anything useful. Hence accessing the FTP server is no use for us.
Let’s move to the next service Samba 3.0.20. As we see in the searchsploit output for samba we found an exploit named “Username’ map script’ Command Execution (Metasploit)”.
By the name, we know that we can crack this service using the Metasploit framework.
Let’s start the Metasploit Framework using msfconsole and start with searching for the exploit for samba using the command
msf5> search samba
When we enter the above command we will see the output as below and we search for the username map script.
Once we found the module to exploit “Username map script exploitation” we will use it using the command
msf5> use exploit/multi/samba/usermap_script
After entering the above command and entering command as show options we will see the terminal as below
In Options, we see two things, first is RHOSTS in which we will be setting up the IP address of the target we want to own and RPORT which have the default value of port 139 as we are targeting the samba service that runs on port 139.
We will set RHOSTS as 10.10.10.3 and run the exploit:
msf5> set RHOSTS 10.10.10.3
msf5> exploit
When we run the exploit command it will try to gain a shell to our target system “10.10.10.3”. After a successful run, we can get the shell and when we run the below commands we will see that we have gained the root shell i.e have accessed the root user and got the root.txt file for the proof
whoami
ls
As we can see, we got the proof file “root.txt” signifying that we have owned the root.
Similarly, we can find “user.txt” in the folder “/home/makis” to get proof that we have owned the user as well.