Step 1: preparation
Connect to the VIP HTB VPN
Add $IP variable to shell for faster operation
echo $IP
Step 2: enumeration
I first start with a basic nmap scan
This scan returns Host seems down. If it is really up, but blocking our ping probes, try -Pn
So I try with the related flag
And it returns that 4 ports are available
Given that, I make a more precise (and longer) scan
I can see that vsFTPd is on version 2.3.4 and samba is on version 3.0.20.
It should be enough for exploitation.
Step 3: exploitation
Samba 3.0.20
A little search on the msfconsole give me a result nammed Samba “username map script” Command Execution.
I so use this module and check which options are available
msf > show options
The RHOSTS is empty and requiered, so I set it up
NOTE: The LHOST need to be setted up with the HTB VPN TUN interface, not your local IP.
And then I launch the exploit
I am now in a reversed shell!
ls
– ftp
– makis
– service
– …
cd makis
ls
– user.txt
cat user.txt
The user flag is done.
For root, I come back the root of the shell, I navigate to the root folder and I get the root.txt file.
Step 4: that’s it
If you want to subscribe to the HackTheBox Academy, you can use my referral link!