(RETIRED)Lame ~ Hack the box(OSCP)

Brought to you by

Spenge @hackthebox.eu

@SpengeSec on twitter

Today we’re going for a quick and easy root, I’m starting this series of OSCP like boxes as a prep for my road towards OSCP Certification.

Start by editing /etc/hosts

Like always we add the IP(10.10.10.3) of the box to our hosts file as (possible) domain lame.htb

https://i.imgur.com/YHXL2LQ.png
followed by:
10.10.10.3 lame.htb

NMAP ~ Enumeration

To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script.
But a nmap -p- -sT -sV -sC -oN initial-scan luke.htb, gobuster & nikito will be sufficient too.
You can find the script i use here: click

https://i.imgur.com/ZXVzipF.png
Interesting result Samba 3.0.2, lets look into it!
searchsploit samba lists a Unauthenticated Usermap exploit for SMB 3.0.2

Metasploit ~ Exploitation

We use msfconsole to run the exploit we found with searchsploit specifically crafted for metasploit(msf).

Begin by typing a show options, this lists only the RHOST and RPORT option to be set. We can go ahead and set the RHOST <IP> and leave the RPORT default,as it uses the default port as shown in our previous nmap results.

https://i.imgur.com/uryexTG.png
We set the target host (RHOST) to 10.10.10.3
And run the exploit

We are greeted with a shell, and a quick whoami shows us we are root!

Getting the flags

I’ve made use of the find command to quickly find the flag files located on the system.

https://i.imgur.com/M2ehSLa.png
Finding where the user flag is stored
& Cat’ing the contents of this file
https://i.imgur.com/xJq5cf9.png

And we do run the same find command to locate the root flag file, and use cat to display its contents!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

Design a site like this with WordPress.com
Get started