Lame is the first box from HackTheBox in my OSCP Preparation series, and I wanted to get off to a good foot with my methodology. Once we added the ip address to our /etc/hosts file as lame.htb, we kick off an AutoRecon scan and let it run. Opening the full nmap scan, we
As you can see, we have a few ports open, and nmap did a pretty good job here of giving us version information. After adding all of this to my notes, I began by looking up various exploits I could find for the different ports and services that were running. Ports 139 and 445, running SMB, looked the most juicy here, and in any penetration test, are the first I would typically go after.
Googling for ‘smb 3.0.20 exploit’ takes you to https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script, which is a link to a vulnerabilty on Rapid7’s website. Rapid7 is the creator of Metasploit, and they’ve got a module made just for this vulnerability.
Once you load metasploit, follow the directions on the Rapid7 site link above, and you’ll find yourself as the root user pretty quickly!
Of course, it’s not required in this instance, but the best thing to do here is to get a full shell (full TTY), as shown below.
I hope you enjoyed this walkthrough, and there will be many more to come! OSCP by Thanksgiving is my goal!