HTB: Walkthrough without Metasploit. ~ [LAME]

Akash Pawar
4 min readApr 1, 2020

--

Hello All, this is a great time to start with OSCP preparation with the latest Hackthebox -OSCP like VM’s.

The first box which we are going to solve is — Lame so let's start with basics.

machine IP:- 10.10.10.3

  1. Scanning and Enumeration:-

doing a basic port scan with Nmap with -following options where -sC uses default script and -sV will do a version detection for our target and here we get the below result.

A ) FTP

first, we will check FTP server — on port 21 which is vsftpd 2.3.4 and try to connect it on the browser, we can see there is nothing in this ftp server.

another thing we can do is log in with Anonymous login credentials for ftp

username — anonymous, Password- anonymous and upload anything.

here we failed to upload into the box because the FTP server is having no file or directory available and even if we upload anything we can not upload it due to no privileges.

let's try another way to search on google for the exploit of vsftpd 2.3.4, here we are not going to use Metasploit, so we will use the public exploit.

let's download the exploit using the following exploit using wget command.

root@kali:~/hackthebox/01-Lame# wget https://raw.githubusercontent.com/In2econd/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py

let's use the exploit.

here we can see the exploit is not working and failed to connect the backdoor, because we are not having privileges and hence it is blocking us to access it.

B) SSH

let's move to another port i.e. SSH at port 22. and check for any vulnerability in OpenSSH 4.7p1 on google and check for the CVE for this version of SSH.

checking the CVE for the current version of SSH we no critical vulnerability which can give access to the server.

C) SMB

finally we have only Samba ports to test for so let's try to check with SMBmap.

2. Getting initial access and exploitation -

using searchsploit in kali Linux search for an exploit for samba 3.x — 4.x

here we get the Metasploit exploit for Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit)

but our goal is to exploit without Metasploit for first let us try to search for CVE for this exploit.

here we get the CVE for this to exploit now google for the CVE-2007–2447

All very well steps are given for this exploit so lets clone and use the following exploit

let's run the exploit and get access.

here we got the access to the box with highest privileges to access so simply go and search for flags if you want to make the shell look more interactive fire below command

python -c ‘import pty; pty.spawn(“/bin/sh”)’

we got root flag, similarly, you can find the user flag.

I will be covering all Hack The Box OSCP-like VMs to solve without Metasploit.

--

--