Kapil Verma
3 min readApr 30, 2020


Lame is another easy Box from HackTheBox, based on Linux OS.

This is my third writeup in the series OSCP like Boxes.

This is the manual exploit of a retired box from “HackTheBox”.

Let’s start with our very first step to enumerate open ports using nmap scan.

From above scan we can deduce all the open ports and running services on those ports.

we’ve smb samba share.

Let’s list the shared drive/directories using smb share.

Tool used for smb is smbclient.

If you do further more enumeration, google search and all for smb exploits you will come across this CVE-2007–2447, usermap-scripts exploit.

Now, we got the exploit cloned from Github.

The exploit downloaded will look like below:

Let’s edit run the exploit, but before that we need to setup a netcat listener.

Let’s run the exploit and see if we get the reverse shell using the netcat listener setup to listen on any traffic coming to port 3344.

Now Let’s check the netcat listener for any incoming connection.

Bingo, this usermap _scripts exploit gives us root user directly.

Now traversing through the directories we can capture the user flag and root flag as below:

Cool, It was an easy machine on the format of OSCP, just required running one exploit and no privilege escalation or any enumerations as such.

Thanks for Reading, give me a clap if i was of any help.



Kapil Verma

Security researcher, Blogger, Bug Bounty hunter