Walkthrough: Lame (HTB Retired Box)

Hi All, this is my first blog entry which I decided to share my written walkthroughs related to retired machines on HTB. Frankly speaking, I am in the learning process and end of my development, I would like to look at my progress for checking what I learnt. Additionally, I want to share my knowledge with our peers or who wants to improve themselves.

Let’s start to talk about our first machine. 🙂

Lame is a retired Linux machine that is rated as Easy on Hack the Box. There are many ways to get flags, but I will demonstrate one of the easiest ways.

First of all, we are checking the services and open ports which are available on the target.

nmap -sV -sC -A -oN

The Output is:

From the output, we can see that one of the essential points is port 139, which is open. The port 139 is used for File and Printer Sharing but happens to be the single most dangerous Port on the computer/network environment. This is so because it leaves the hard disk of a user exposed to hackers. Usable information and clue can be found on the NVD by searching “smbd 3.0 shell command”. We will get valuable vulnerability detail (CVE-2007–2447) which can be exploited by using various exploitation tools.

The Output is:

As we mentioned before, one of the important and powerful tools/frameworks is Metasploit. We can search for exploits related to “username map script”.

search name:username map script type:exploit

The Output is:

Now, time to look at the exploit called “usermap_script” in the Metasploit. We are going to look at what kind of options are available in that exploit.

msf5 > use exploit/multi/samba/usermap_script

msf5 exploit( multi/samba/usermap_script) > show options

The output is:

We will set Target Host as, and default port will be the same. Then, using the run command for exploiting the target machine.

msf5 exploit( multi/samba/usermap_script ) > set rhosts

msf5 exploit( multi/samba/usermap_script) > run

The Output is:

Here we are, we can run commands for obtaining the root and user flags. The root.txt locates in the “ root” and user “/home/makis “. We can use the standard Linux command to find a specific file by name or extension.

find “user.txt”

Now, it is your turn to find them. 🙂

See you next time! 🙂