Keep Calm and Hack The Box — Lame

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Note. Only write-ups of retired HTB machines are allowed.

Lame is the first machine published on Hack The Box and is for beginners, requiring only one exploit to obtain root access.

We will use the following tools to pawn the box on a Kali Linux box

• nmap
• zenmap
• searchsploit
• metasploit

Step 1 — Scanning the network

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here

I use the following command to get a basic idea of what we are scanning

-sV: Probe open ports to determine service/version info

-O: Enable OS detection

-F: Fast mode — Scan fewer ports than the default scan

— version-light: Limit to most likely probes (intensity 2)

10.10.10.3: IP address of the Lame box

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

I use a different set of commands to perform an intensive scan

-A: Enable OS detection, version detection, script scanning, and traceroute

-v: Increase verbosity level

10.10.10.3: IP address of the Lame box

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports

We can see that there are 4 open ports:

Port 21. File Transfer Protocol (FTP) control (command)

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

Port 139. NetBIOS Session Service

Port 445. Microsoft-DS (Directory Services) SMB file sharing

Let see what we can get with the first port

Step 2 — The Vulnerable FTP

We will use Searchsploit to check if there’s any known vulnerability on vsftpd 2.3.4. Searchsploit is a command line search tool for Exploit Database

I use the following command

Now that we know that there is a vulnerability — Backdoor Command Execution — let’s try to exploit it

We will use Metasploit. It’s a penetration testing framework that makes hacking simple. It’s an essential tool for many attackers and defenders

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

I use the command to look for all the payloads available

We can see there are several different exploits but the one we’re interested in is number 4

I use the following command for the exploit

This will launch the exploit. I use this command to display the available options

You can see that the remote host (RHOSTS) is not yet set. I will set both the remote host and the target as these two pieces of information are needed to run the exploit

I use the following command to set the remote host using the IP address of HTB Lame box

Then I set the target to 0 as displayed when I checked the options

We can now run the exploit

Unfortunately we can see that even if the exploit is completed, no session was created. The vulnerability has been patched as mentioned here, in the description of the exploit.

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. The aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away

We need to find another way. Let’s have a look at another port!

You can read the whole article on freeCodeCamp News website

Keep Calm and Hack The Box - Lame

I hope you found this helpful. This is part of my “Keep Calm and Hack The Box” series where I explain step-by-step how to pawn HTB boxes.

Please don’t hesitate to comment, ask questions or share with your friends :)

You can see more of my articles here

You can follow me on Twitter or on LinkedIn

And don’t forget to #GetSecure, #BeSecure & #StaySecure!

Other Hack The Box articles

• Keep Calm and Hack The Box — Lame
• Keep Calm and Hack The Box — Legacy
• Keep Calm and Hack The Box — Devel
• Keep Calm and Hack The Box — Beep
• Keep Calm and Hack The Box — Optimum
• Keep Calm and Hack The Box — Arctic
• Keep Calm and Hack The Box — Grandpa
• Keep Calm and Hack The Box — Granny