HackTheBox: Lame - Writeup

  • date_range 20/04/2019 05:30 info

HackTheBox: Lame was a really simple machine which only took a few minutes to get into. This was my first HTB machine i did.

1.1 Enumeration

I first started by doing a port scan of Lame (

nmap -sV -A -Pn -oN lame-scan
Nmap scan report for
Host is up (0.032s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h56m15s, deviation: 0s, median: -2d23h56m15s
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-04-13T13:00:18-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Straight away i can see from experience that FTP and SMB are vulnerable. vsftpd 2.3.4 and samba 3.0.20 are vulnerable to command execution.

A quick searchsploit shows a command execution exploit for Samba 3.0.20.

2.1 Exploitation

The exploit is opened and executed in metasploit which is successful.

The exploit gives us root access which means both flags can easily be retrieved without privilege escalation.

3.1 Getting the flags

The flag is easily found by going into the root directory and viewing the flag.