Lame is a Linux box at 10.10.10.3 with an easy rating.

Starting with Enumeration we find some interesting services

[email protected]:/home/HTB/Lame# nmap -sV --script=default,vuln -p- -oA Lame -O 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 15:23 EST
Nmap scan report for 10.10.10.3
Host is up (0.32s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.13
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_sslv2-drown: 
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   VULNERABLE:
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|       
|     Disclosure date: 2002-02-01
|     Extra information:
|       
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|   
|     References:
|       http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
|       http://distcc.googlecode.com/svn/trunk/doc/web/security.html
|       http://http://www.osvdb.org/13378
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), Crestron XPanel control system (90%), Linux 2.4.18 (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (89%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%), Asus RT-N66U WAP (Linux 2.6) (89%), Tomato 1.28 (Linux 2.6.22) (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -8h43m23s, deviation: 0s, median: -8h43m23s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-03-02T01:57:12-05:00
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1066.46 seconds

Samba 3.0.20 has a known vulnerability found here: https://www.exploit-db.com/exploits/16320
There is a metasploit module for it, but if you want to do it manually there is exploit code here: https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851

The Shellcode needs to be modified so the netcat session ends up at your machine. This needs to replace the existing code from line 28

Start your netcat listener and run the python script.

From here you can grab the root and user flags.