Let’s tackle Lame on HackTheBox. This box definitely qualifies as “Easy”, but for those us of with the goal of obtaining our OSCP, we will attempt to root the box without using Metasploit.
First we do our initial nmap scan. The box seems to be having performance issues, we set retries to 0 to speed up the scan.
We do a deeper scan on the open ports.
Any time anonymous ftp is available we should check it out, but in this case it doesn’t reveal anything helpful. Moving on, tcp/3632 look interesting, so we can google “distccd v1 exploits.” The first results is from rapid7, and if you are new to pentesting I would encourage you to attempt the Metasploit exploit, which will escalate you straight to root. However, we are attempting to root the box without Metasploit, so we modify our google search to “distccd v1 exploit github,” and we choose the first result:
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855
We then download and run the script after starting our netcat listener.
And we get a shell! First step is to upgrade our shell.
We are logged on as a low-privilege user. We can get user.
Now we need to escalate privileges to root. Any of our favorite Linux enumeration scripts or a uname -a will reveal that we have an older Linux kernel.
Google “linux kernel 2.6.24–16-server exploit” and choose the first result for exploit-db.com. This version of linux kernel should be vulnerable to DirtyCow. Download the exploit, transfer it to the box, and compile the exploit.
Run the compiled code.
At this point, my terminal froze, so i chose the ssh option from a new terminal window.
And we have rooted the box!
Thanks for reading.
