by “When people are lame they always blame”
Table of Contents
About Lame
Lame is a very easy box that is retired. It is on TJ Null’s OSCP prep list.
Machine Info
Lame’s IP is 10.10.10.3. It has three ports open, and interestingly SMB is what we are looking at here
recon
Can use the following link to get the exploit. Let’s fire the exploit against the box. Start netcat.
Intrusion
We got a shell. Now we need to escalate privileges. I used both LinEnum and Linuxprivilegechecker for this box. LinEnum showed me MYSQL which I couldn’t exploit.
CVE-2004-2687
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Privesc
For privesc we can just use nmap –interactive, an older version of nmap has this sudo permission
