HackTheBox — Lame

4 min readMar 11, 2021

Good afternoon everyone,

Today we will be tackling the HTB machine, Lame. This is relatively easy machine with an old CVE that ends up being a rabbit hole but has another easy exploit that we can use.

We can start with a simple nmap on the machine.

nmap -sC -sV 10.10.10.3 -oA lame....21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.16.114
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h42m21s, deviation: 3h32m10s, median: -47m40s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-11-15T01:18:23-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Right away we can start enumerating the FTP service with the anonymous login. We don’t find much of anything in there. From previous machines I do know however that there is a Metasploit exploit for the vsFTPd 2.3.4 server.

Now if you follow me, you know I try and avoid MSF where I can so I can learn more but also prepare for the OSCP, where you are allowed to use it only once to attempt to exploit a machine.

I was able to find a written explanation of the exploit here. If we follow the commands in that article, we still got nothing. Even tested with MSF we got nothing, so it must be patched in a way, so we can move on to enumerate the other services.

For enumerating SMB I will use this article.

So we can begin with smbmap just to see what shares we can access.

Getting into the /tmp folder is simple enough with the smbclient and anonymous login.

If we look back the version of Samba the machine is running, 3.0.20, we see there is a MSF exploit for it (which does work).

So now we just have to find a non-MSF exploit. Thankfully it was a simple google search, exploit. Now I was missing the smb portion of the python script but was able to install it with pip install pysmb after some searching.