HackTheBox Write-Up — Lame

Lame is an extraordinarily easy box for anyone looking for an introduction to Penetration Testing, basic enumeration, smb exploitation, and Metasploit.

nmap -T4 -p-

Starting Nmap 7.70 ( https://nmap.org ) at 2020–05–19 09:27 EDT
Nmap scan report for
Host is up (0.056s latency).
Not shown: 65530 filtered ports
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
Nmap done: 1 IP address (1 host up) scanned in 147.30 seconds

Based on this scan we can see which TCP ports are open, we will take these ports and enumerate on them by running the following:

nmap -T4 -A -p21,22,139,445,3632

Starting Nmap 7.70 ( https://nmap.org ) at 2020–05–19 09:31 EDT
Nmap scan report for
Host is up (0.056s latency).
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| FTP server status:
| Connected to
| Logged in as ftp
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4–1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|broadband router|general purpose|remote management
Running (JUST GUESSING): Linksys embedded (93%), Linux 2.4.X|2.6.X (92%), Arris embedded (92%), Dell iDRAC 6 (92%), Belkin embedded (90%), D-Link embedded (90%)
OS CPE: cpe:/h:linksys:wrv54g cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:dell:idrac6_firmware cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:belkin:n300 cpe:/h:dlink:dap-1522
Aggressive OS guesses: Linksys WRV54G WAP (93%), OpenWrt 0.9–7.09 (Linux 2.4.30–2.4.34) (92%), Arris TG562G/CT cable modem (92%), Linux 2.4.21–2.4.31 (likely embedded) (92%), Linux 2.6.8–2.6.30 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Linux 2.4.7 (91%), Linux 2.6.23 (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), Belkin N300 WAP (Linux 2.6.30) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4h04m50s, deviation: 0s, median: 4h04m50s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2020–05–19T09:36:56–04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 22/tcp)
1 55.00 ms
2 55.11 ms
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.33 seconds

Based on our own “Order of Enumeration”, when it comes to enumerating services- SMB is first on the list as it has a long history of vulnerabilities.

There are three ways I have been able to find the SMB version of this machine:

1. Nmap
2. enum4linux -a
3. Metasploit

Once certain of our SMB version we will search Google for any known exploits.

Spoiler alert.

This Metasploit module will run successfully
Root flag can be captured at /root/root.txt




Information Security Professional

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Staying Digitally Secure

BBM vs Leni: The problem with Smartmatic

{UPDATE} GET CAPPED Hack Free Resources Generator

IDOR leads to Mass Account Takeover!

BE AWARE! Big Twitter Accounts Hacked For Giveaway Scams!!!

{UPDATE} Le Havre (The Harbor) Hack Free Resources Generator

The Future of Identity Management

identity management concept

TryHackMe: John The Ripper — Walkthrough

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bradley Fell, @FellSEC

Bradley Fell, @FellSEC

Information Security Professional

More from Medium

Crocodile HackTheBox Ctf

Pickle Rick (Easy) Walkthrough — TryHackMe

Hack the Box: Active Write-Up

DRIVER — HackTheBox WriteUp