[Hack The Box] Lame Write-up

I feel wonderful after solving this box with some hints from a good friend (MinhTrietPT) because my method is difference than in the official write-up from Hack The Box. I have to say that I was stuck with this box for 2 weeks. Yeah, now you you know how I'm feeling. As someone say: "enjoy the journey, not the destination." This is very true for me.

So. let's get started! First, we use nmap to scan the target:

I felt that I need to dig deeper into the port 3632, keep using nmap:

Hmm, we have CVE-2004-2687. After googling, we should know which exploit we can use:

Wow, we have the shell, but...but... with the daemon user, we cannot read the flag files. We have to learn about Linux Privilege Escalation here. Using this command for enumeration: "find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null", what we can find:

Do you see nmap? Do you see what permission of nmap? Let use this command to run nmap: "nmap --interactive" and then "!sh"

We are root now! We're done!

Preference:

1. https://pentestlab.blog/category/privilege-escalation/

P/S: on the official write-up, they use a samba exploit ;)

Comments

[Metasploitable 2] Method #3: Bind Shell Backdoor

Hi friends, This post will be short because the vulnerability is very clear and straightforward. As you may know, on my 2nd post on Metasploitable 2 hacking , I used Nessus to confirm the vulnerability found by Nmap. The scan results from Nessus are very interesting! So let's just start by looking at the first one: Bind Shell Backdoor Detection. The detail of this vulnerability says very clear that the Metasploitable 2 machine's shell is listening on port 1524. So let's try to use netcat to connect to port 1524. That's easy, right? We also can see the connection from Kali to Metasploitable 2 on port 1524. Let's move to another way.

[Metasploitable 2] Method #1: Meet My Old Friend distccd v1

Hi friends, I would like to share with you how I hack Metasploitable 2 by utilize the distccd v1 vulnerability. These are many bugs in Metasploitable 2 that can help you to hack it. Why I choose distccd? After using NMAP to scan for open ports on Metasploitable 2, I think I might meet an old friend again. I faced up to distccd when playing with Hack The Box's Lame (you can read my write-up on box Lame here ). So, I guess I could use the same technique to hack Metasploitable 2 for the first time. Let's start! Using NMAP to scan for vulnerability on port 3632 : nmap --script vuln -p3632 192.168.32.129 We got CVE-2004-2687 ! Fire up Metasploit to search for the appropriate module or you can just use Google: msf > search type:exploit name:distcc We know what module we have to use and then we can get in the box with the daemon user. How to become root? We have to find a way to escalate our privilege. Let's take a look on this article to know how ...

[Metasploitable 2] Method #2: Thank to Somebody's Backdoor on vsFTPd 2.3.4

Hi friends, Today, I would like to share another way to hack Metasploitable 2. You might want to checkout my other posts on Metasploitable 2 here . So let's start! Using Nmap NSE to see if there is any vulnerability on port 21: nmap --script vuln 10.0.2.5 -p21 and I found vsFTPd version 2.3.4 backdoor. For a studying purpose, I want to use Nessus on Kali to confirm the above vulnerability, but couldn't find it. Hmmm, maybe I need to change some parameters on my Nessus scan! However, the results from Nessus are very interesting, and I can use them for future works! Let's use Metasploit to find the correct exploit and make this shit done :) We can confirm a connection from Kali to Metasploitable 2 by a netstat command. Happy hacking!

Sifting bit by bit

Search This Blog