# Lame Walkthrough

Hello Everyone! We have a new challenge from [HackTheBox](https://www.hackthebox.eu/) “Lame”, but before we get started let’s see the machine’s info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*eQYGfdsMXUdhThjOkfMPyA.png" alt=""><figcaption></figcaption></figure>

It’s easy, Linux OS and I think it’s the easiest machine on HTB, so it’s very good for beginners :) let’s get started…

### **Nmap scan**

In this step we need to know some information about our target like open ports, OS version, service version, etc so we will use `nmap` to perform this tasks `nmap -sV -O -T4 -oG lame.gnmap 10.10.10.3`

* sV → service version
* O → OS detection
* T4 → Increase the speed
* oG → get the output in gnmap format (we will know later why we need this format)

> You can use `-A` instead of `-sV` and `-O`

The results:

```
Nmap scan report for 10.10.10.3
Host is up (0.15s latency).Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
	
```

From these results you should know some notes:

1. `Anonymous FTP login allowed (FTP code 230)` means that anyone without credentials can login to ftp server and then can upload, delete, etc
2. the services `vsftpd` and `smb` services is vulnerable so we will work on them
3. We don’t have the `smb` version so we will work on it also

Let’s get started…

### **Getting SMB version**

from `metasploit` we can get `smb` version by searching `smb_version` → `search smb_version` and use the auxiliary module which gives us the version and then `show options` to get the options, and then set `RHOST` \<machine-ip> and finally `run.`It will give us the result `samba 3.0.20`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*WaU_FHQjH3SKA6GCs2Kg2w.png" alt=""><figcaption></figcaption></figure>

### **Gaining access**

After we know the version of `smb` so now we will search for exploitation to use it by **google.** I’ve found this [CVE](https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/) which we will try to use it, or you can use `searchsploit` to search for exploitation, whatever we will use → `exploit/multi/samba/usermap_script` and set `RHOSTS` and `LHOST`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*QCnrLUrwKFj3nmZw6XI5aw.png" alt=""><figcaption></figcaption></figure>

and then `run`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*D5rsd2ru39lDlaze_FWXPA.png" alt=""><figcaption></figcaption></figure>

As you can see, you get access to the machine, type `help` to see more options and commands. I’ll type `shell` to open a shell and start searching for `user.txt` and `root.txt` and as you can see the root flag is in `home/makis` and the root flag is in `/root`

![](https://miro.medium.com/max/250/1*WDw4ByZCvrf2jwt_8f5bnA.png)

Try to find the root with the same privileges.

&#x20;

**Congratulations** ❤ Now you have the flags

Stay in touch :)

[LinkedIn](https://www.linkedin.com/in/eslam-akl-6b998614a/) | [GitHub](https://github.com/eslam3kl) | [Twitter](https://twitter.com/eslam3kll)