Lame is a Linux box at with an easy rating.

Starting with Enumeration we find some interesting services

[email protected]:/home/HTB/Lame# nmap -sV --script=default,vuln -p- -oA Lame -O
Starting Nmap 7.70 ( ) at 2019-03-02 15:23 EST
Nmap scan report for
Host is up (0.32s latency).
Not shown: 65530 filtered ports
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
| distcc-cve2004-2687: 
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|     Disclosure date: 2002-02-01
|     Extra information:
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|     References:
|       http://
|       http://
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), Crestron XPanel control system (90%), Linux 2.4.18 (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (89%), Asus RT-AC66U router (Linux 2.6) (89%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (89%), Asus RT-N16 WAP (Linux 2.6) (89%), Asus RT-N66U WAP (Linux 2.6) (89%), Tomato 1.28 (Linux 2.6.22) (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -8h43m23s, deviation: 0s, median: -8h43m23s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-03-02T01:57:12-05:00
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1066.46 seconds

Samba 3.0.20 has a known vulnerability found here:
There is a metasploit module for it, but if you want to do it manually there is exploit code here:

The Shellcode needs to be modified so the netcat session ends up at your machine. This needs to replace the existing code from line 28

Start your netcat listener and run the python script.

From here you can grab the root and user flags.