HackTheBox write-up: Lame
This is a pretty straightforward box. Like in most boxes we start first by scanning the ports of the machine with nmap and enumerating the versions of the active services with the -sV flag .
FTP on port 21 is open and nmap give us a hint that anonymous login is allowed. Unfortunately that doesn’t lead anywhere. let’s try smb and see if we can access any share.
The share named “tmp” has read and write permissions. Trying to mount the share gives out an version error and adding vers=1.0 doesn’t seem to do the trick. let’s find if there is any vulnerability for this version of smbd instead.
A quick search show us that version 3.0.20 of smbd is vulnerable and metasploit has already a module available for it. Let’s use that …
set the options accordingly, LHOST, RHOST, etc …. and … run or exploit.
and BOOM! we get a shell with both, the user and root flags for the taking no privesc necessary.
