Another Information Security Blog

The “Lame” box was categorized as a easy-intermediate box, so I decided that it would be next on my list.

I found it to be fairly easy, giving it a 2 out of 10 for difficulty.


Intelligence Gathering

Data Given: IP: OS: Linux

I first pinged the host and confirmed that it was up. I then ran the following nmap scan for a general sweep of what ports were open. I do these types of scans to find any low hanging fruit that may be there. nmap -sS -sC -sV -T4 Imgur

Okay, so we have a few things that look interesting. The out of date vsftp & samba are probably how we want to get in. I looked around online for the samba version as I think I had heard of a large exploit for that recently. Luckily, rapid7 had a module at the top of my search.

The version that it was reporting was “3.0.20” which correlates with the version that rapid7 reported for the “username map script” RCE. Imgur



This module does not support checking so we are going to have to trust that nmap was not lying to us. Imgur


Post Exploitation

It wasn't! Unfortunately, this dropped us into a limited shell. Pentest monkey ( has a great way to gain a full TTY shell. Since I am comfortable with python, I used the whereis python command to see if it was installed. Imgur

Now that I know it is installed (and I can use it) I run the following command to gain a full TTY shell. python -c ‘import pty; pty.spawn(“/bin/sh”)’ Imgur

We are already root so lets grab the flags and move on to the next one.



I did have a trip up when I was initially trying to hack this box. I went for the vsftpd daemon first, but for some reason couldn't get a shell back. I'm going to attribute the name “lame” for that very reason. I liked this one, but I think in the future I am going to stop relying on metasploit so much and try and learn to use python/ruby scripts to send the exploits.

After taking a break from writing blogs about hacking, I thought I'd jump back into it. This write up is going to be covering the “Legacy” box from Hack The Box. If you haven't seen or heard about Hack The Box, I highly recommend you try it out.

I chose Legacy as it is a retired box, so that means you can do a write up about it. I will be trying to hack all of the retired boxes and writing about my experiences.  

Intelligence Gathering

Data given: IP: OS: Windows

I first pinged the remote host to confirm it was online. I then ran an nmap scan with the parameters below. nmap Imgur

Knowing that port 139 and 445 were open, I ran a more targeted scan to enumerate more about those services. nmap -sC -sV -A -p139,445,3389 Imgur This is a much more interesting scan result. It looks to be a Windows XP or 2000 box. I assume the name of the box “Legacy” refers to the version.


Vulnerability Analysis

I did a quick search with searchsploit for “Windows 2000” and noticed this result. Imgur



I fired up metasploit and loaded the module for MS08-067. Imgur

I set the target to the remote host and to verify that it was actually vulnerable, I used the “check” command in metasploit. Imgur

Sweet! Let's exploit now! Imgur Awesome, it worked!


Post Exploitation

Next goal is to get the flags for both the user and root (Administrator in this case). Both flags on are on each user's desktop. To do this, I'll drop into a shell session on the host. I need to see if I can get the flags without having to do any sort of privesc. Imgur I was able to grab the user flag without having to do any sort of privesc. Now, let's try the same thing for the Administrator account. Imgur Alright! That wasn't bad at all. On to the next one!



This was a very easy lab that had us use MS08-067 on a Windows XP computer. I didn't use any outside resources on this one, besides searchsploit, which can be found here. Looking forward to the next one!