Lame is an easy-level machine on HackTheBox that involves exploiting a vulnerable Samba server to gain initial access, and then exploiting a vulnerable MySQL server to elevate privileges to root. In this write-up, we’ll step through the process of exploiting the machine to retrieve the root.txt flag.
Scanning
As usual, we’ll start by scanning the target IP address (10.10.10.3) to see which ports are open and which services are running on them. We'll use nmap for this:
$ nmap -sC -sV 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-11 12:00 UTC
Nmap scan report for 10.10.10.3
Host is up (0.017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 2.2.1a
445/tcp open netbios-ssn Samba smbd 2.2.1a
Service Info: OS: UnixWe can see that two ports are open (139 and 445) and both are running Samba (smbd 2.2.1a). We'll focus on this service for our initial exploitation.
Initial Access
We’ll start by using smbclient to connect to the anonymous share on the Samba server:
$ smbclient \\\\10.10.10.3\\anonymous
Enter WORKGROUP\root's password:
smb: \> ls
. D 0 Fri Sep 21 14:49:15 2018
.. D 0 Fri Sep 21…