010#:HTB - Lame
I’m taking a small detour from the TJNull’s OSCP list since the last two rooms I did were a bit soul-crushing at times. I decided to sort all retired machines by System Owns and I will just work through that list for fun. It so happens that the first box on the list is also the first box to ever be featured on the platform!
Pretty neat. I imagine this will be a fun and quick room to help me reset after those other two (HTB’s ServMon and Support rooms). Let’s check it out with nmap.
Looks like we are working with FTP, SMB, SSH, and some service on port 3632 that I’m not familiar with. Nmap tells us that anonymous authentication is possible with FTP so let’s start there.
It’s empty though so we move on to checking SMB. Here we do have some files and folders. Most of this we can’t interact with but we are able to download a file named vgauthsvclog.txt.0.
The logs don’t seem that significant at the moment, so I moved on to that odd port from the nmap scan. Nmap says distcc is running on port 3632. I’m not sure what distcc is so I just started by googling it. I learned that distcc is a distributed c/c++ compiler but I didn’t find anything particularly helpful. Without much to go on I decided to check searchsploit despite not having a version number.
It says it is a metasploit module so we load that up and search for our module. This failed though so I decided to google distcc vulnerabilities instead.
I basically just found the same CVE we already tried though. Time to look over what I already have again since I’ve hit a dead end. Nmap shows a version of VSFTPd is 2.3.4. Checking that in searchsploit reveals we have a backdoor command execution exploit we can try. There is the python script available but I’ve already got metasploit pulled up so let’s use that.
Well, that failed too… I decided to check out the python script after all. I used searchsploit to copy the exploit to my machine and began reading over it. Attempting that exploit fails as well. Moving on I checked searchsploit for OpenSSH 4.7 vulns. There was a couple user enumeration scripts I tried that failed. I didn’t see anything else here that seemed like it might work. Moving on again to check searchsploit for samba 3.0.
The exploit “username map script” has a metasploit module so I gave that a quick look. To my surprise this resulted in root! I had only half-skimmed the exploit but I thought it was just going to enumerate user accounts, so that was cool. With that, the room is basically done. We check the home folder to find a few user accounts and our first flag is found under the makis user folder. As expected, the second flag is in the root directory.
