Lame Writeup (HackTheBox Easy Machine)

-


Overview

Lame is an easy Linux machine from HackTheBox. This box is definitely one of the quickest ones on the platform, but it plays with some big and infamous vulnerabilities.

We start with discovering multiple services running on open ports. We find out that VsFTPd 2.3.4 is being used, which is known to have a backdoor. We used exploit provided by Metasploit, but it didn’t work. There is a firewall blocking us, as we find out later.

After that, we perform additional enumeration on the machine. Eventually, we notice that SMB also uses vulnerable software, and that’s Samba 3.0.20. We use Metasploit’s “Username map” exploit to get a shell on the machine as root. We then get both user flag and root flag.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.10.3 -T5   
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 06:58 EDT
Nmap scan report for 10.10.10.3
Host is up (0.052s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.79
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (91%), Arris TG862G/CT cable modem (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%), Linux 2.6.22 (90%), Linux 2.6.24 (90%), Linux 2.6.8 - 2.6.30 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m32s, deviation: 2h49m43s, median: 31s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2025-04-07T06:59:28-04:00

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   63.30 ms 10.10.14.1
2   63.35 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.13 seconds

Nmap scan showed 4 open ports. Port 21 for FTP version VsFTPd 2.3.4, port 22 for SSH, port 139 and 445 for Samba SMB 3.0.20.


Exploiting FTP backdoor (failed)

All enumeration went aside for now, because we could see that FTP is running version “vsftpd 2.3.4”, which contains infamous backdoor which can give us root access. Metasploit has perfect exploit module for this. I launched “msfconsole” and prepared my attack.

The malicious actor modified the original vsftpd 2.3.4 source code by adding a small backdoor snippet. This snippet checks if the FTP username contains “:)” (smiley face), and if so, it triggers a malicious payload that spawns a root shell on TCP port 6200. (ChatGPT)

failed to connect to FTP backdoor

I used “unix/ftp/vsftpd_234_backdoor” exploit, set up correct remote host but got no shell. Maybe this isn’t the way after all. I had to look elsewhere.


Service enumeration

Next, I checked all the available services running on open ports. I started with FTP, logged in as user “anonymous” and listed the directories.

Nothing came back, had to look elsewhere.


After that, I checked the SMB with “smbclient”.

There were couple interesting shares. The “tmp” share had some files in it.

After checking all the files, I found nothing important. I had to miss something.


Exploiting SMB Samba 3.0.20 Usermap script & getting both the user flag and root flag

I re-checked the Nmap scan and noticed the SMB Samba 3.0.20. After researching this version, I found another infamous exploit called “Username map script”. I booted Metasploit again.

This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! (Rapid7)

I set up remote host and listener and launched the exploit. And it worked!

getting shell as root with Samba Usermap exploit


I got the shell as root. Nothing was stopping me now from collecting the flags.

root@lame:/home# find . -name user.txt 2>/dev/null
find . -name user.txt 2>/dev/null
./makis/user.txt
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# ls
ls
user.txt
root@lame:/home/makis#
root@lame:/home/makis# cd /root
cd /root
root@lame:/root# ls
ls
Desktop  reset_logs.sh  root.txt  vnc.log
root@lame:/root#


Why the FTP backdoor didn’t work?

When we did our first initial Nmap scan, we saw only 4 open ports. But now when we run “netstat -tlnp”, we will see far more listening ports. Interesting.

“netstat” revealing bunch of listening ports

Firewall had probably block all of these. I found one write-up from user “0xdf” here: “https://0xdf.gitlab.io/2020/04/07/htb-lame.html#beyond-root---vsftpd”. He goes more in-debt on why the backdoor didn’t work.

snippet of 0xdf’s writeup


Summary

Lame is an easy machine from HackTheBox. This box is one of the easiest and quickest machines on HackTheBox. It is perfect for beginners, because it lets you play with several big vulnerabilities in legacy versions of software like VsFTPd and Samba that we still use today. Firstly, we fail to connect to the backdoor on not-very-vulnerable FTP server due to firewall block. Next, we are able to exploit vulnerable Samba SMB version using Metasploit Framework and get a root shell. For me, this box served as good training ground to re-practice big long-known exploits. Definitely suitable for complete beginners, maybe even first machine you would complete on HackTheBox.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more