Mar 14, 2021

3 min read

Hack The Box: Lame Walkthrough without Metasploit

hack the box LAME

Lame is a retired Linux machine that is hosted on Hack the Box. This walk through explains the exploitation without using Metasploit.

Machine: Lame
OS: Linux

A simple bash script that uses Nmap to enumerate the host.

Nmap Results

21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))

Two useful services with their versions, to consider first → ftp and smb

One thing to note from “Nmap Results” for ftp service is:

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

Let’s try and find for something more in ftp.

One last thing to check is Nmap Scripts for ftp.

Nothing seems to fit here.

Let’s try for SMB

One point to consider is the Sharename “tmp”.

But first lets check some Nmap scripts for smb.

Let’s try vuln scripts for smb.

oops! Nothing useful.

Lets try and connect to sharenames.

Nothing Useful :(

but, No need to loose hope.

Let’s find if the versions of the available services are vulnerable.

ftp vsftpd 2.3.4
Samba smbd 3.0.20-Debian

Here we get the Metasploit exploit for Samba 3.0.20 < 3.0.25rc3 — ‘Username’ map script’ Command Execution (Metasploit)

→ Let’s try to find what CVE is the exploit we found, so that we can search it on Internet.

→ Lets see if the given path /exploits/unix/remote/16320.rb contains the CVE number

Lets search for CVE 2007–2447 exploit

Clone and Follow the steps.

Start nc Listener on one tab.

Fire the Python Script on another.

Go back to the listener , should get access.

Go to root directory to find the flag.

This is my first step towards glory.

Henceforth, will be covering all Hack The Box OSCP-like VMs without Metasploit.