Blog  |  About  |  Contact   

HackTheBox - Lame

January 18, 2021
After getting a HackTheBox VIP subscription, one of the first boxes I attempted was “Lame”. This is ranked as an easier system and was a good opportunity to see what the platform had to offer.

Port Scanning

Getting started, I performed an Nmap scan using the -Pn flag, to skip host discovery, and -sV, to enumerate all service version. This provided multiple findings, including an FTP server on port 21 using vsftpd v2.3.4.
nmap -Pn -sV -T 4 -v

Nmap scan report for
Host is up (0.018s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

vsftpd 2.3.4

From previous CTF’s, I knew this version has a known backdoor. I quickly checked the exploit code and saw the service could be exploited by sending a smiley face ":)" as the username value over port 6200. Unfortunately, when attempting to access the port with ncat the connection timed out indicating the service was not vulnerable.
ncat 6200

Samba 3.0.20 (Exploitation)

After the first attempt at exploitation, I wanted to learn more about the version of Samba installed as this is another common area of exploitation in CTF style boxes. I went back to Nmap and used the smb-os-discovery NSE script:
nmap -Pn -sT -p 445 -v --script=smb-os-discovery
Nmap scan report for
Host is up (0.017s latency).

445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-01-17T21:04:45-05:00
I searched for Samba v3.0.20 in Exploit-DB and found a 'Username' map script' command execution vulnerability, exploitable with Metasploit. As a left-over habit from my OSCP days, I opted to use a Python exploit instead that required the use of MSFVenom to generate new shellcode for the reverse shell. The changes required are demonstrated in the source code below: Once the shellcode was modified, I setup a netcat listener and launched the exploit. After just a few second a reverse shell was opened as the root user!


Moving into the post-exploitation phase, I spawned a TTY shell to better navigate the system and was able to successfully find both the user.txt and root.txt flags in the following directories:
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/# cat /home/makis/user.txt
cat /home/makis/user.txt
root@lame:/# cat /root/root.txt
cat /root/root.txt


The Lame system was a fun "quick-win" and I'm excited to keep hacking in the environment. I plan to use HTB for continued practice and as a stomping ground for new tools. Thanks for reading and stay tuned, hoping to release a lot of new content in 2021 :)