Lame is an easy-level machine on HackTheBox that involves exploiting a vulnerable Samba server to gain initial access, and then exploiting a vulnerable MySQL server to elevate privileges to root. In this write-up, we’ll step through the process of exploiting the machine to retrieve the root.txt flag.
Scanning
As usual, we’ll start by scanning the target IP address (10.10.10.3) to see which ports are open and which services are running on them. We'll use nmap for this:
$ nmap -sC -sV 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-11 12:00 UTC
Nmap scan report for 10.10.10.3
Host is up (0.017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 2.2.1a
445/tcp open netbios-ssn Samba smbd 2.2.1a
Service Info: OS: UnixWe can see that two ports are open (139 and 445) and both are running Samba (smbd 2.2.1a). We'll focus on this service for our initial exploitation.
Initial Access
We’ll start by using smbclient to connect to the anonymous share on the Samba server:
$ smbclient \\\\10.10.10.3\\anonymous
Enter WORKGROUP\root's password:
smb: \> ls
. D 0 Fri Sep 21 14:49:15 2018
.. D 0 Fri Sep 21 13:30:25 2018
opt D 0 Fri Sep 21 14:11:59 2018
smb.conf N 2118 Fri Sep 21 13:31:32 2018
50097 blocks of size 2097152. 28404 blocks available
smb: \> get smb.conf
getting file \smb.conf of size 2118 as smb.conf (2.1 KiloBytes/sec) (average 2.1 KiloBytes/sec)We’re able to successfully connect to the anonymous share without providing any credentials. We can see that there are three directories (., .., and opt) and one file (smb.conf) in the share. We'll download the smb.conf file to see if it contains any useful information.
The file contains the following lines:
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = LAME
security = user
map to guest = bad user
guest account = nobody
[anonymous]
guest ok = yes
guest only = yes
read list = nobody
write list = nobody
create mask = 0777
directory mask =…
