HMV Five
This is a Linux machine with only Web services enabled, we could upload a webshell by controlling
the directory parameter of the upload API endpoint. Then we gain the initial foothold of the system.
Then we discover there is a sudo rule for our initial user which allow it to execute /bin/cp with
another user. And there is a ssh service only for localhost, but we could forward it by port
mapping. After that we pivot to another user by leveraging /bin/cp to write our ssh public key to
authorized_keys. Finally, we get the root shell or read arbitrary file via LOTL(Live off the land)
technique. Here is the /bin/man.
Summary
Scope
- Name: Five
- Difficulty: Medium
- OS: Linux
- IP: Local VM
Learned
- Port forwarding is a good friend for complex network topology (nc, socat, chisel and python).
- LOTL (Live off the land) is an ideal attack vector sometimes.
Enumeration
Nmap
Overall
# Nmap 7.98 scan initiated Mon Mar 9 16:08:26 2026 as: nmap -p- --min-rate 3000 -oN overall 192.168.1.12 Nmap scan report for five (192.168.1.12) Host is up (0.00013s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:3B:BE:8A (Oracle VirtualBox virtual NIC) # Nmap done at Mon Mar 9 16:08:27 2026 -- 1 IP address (1 host up) scanned in 0.51 seconds
Detail
There is a /admin endpoint!
# Nmap 7.98 scan initiated Mon Mar 9 16:08:45 2026 as: nmap -sC -sV -O -vv -p80 -oN detail 192.168.1.12 Nmap scan report for five (192.168.1.12) Host is up, received arp-response (0.00037s latency). Scanned at 2026-03-09 16:08:46 CST for 7s PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 64 nginx 1.14.2 | http-robots.txt: 1 disallowed entry |_/admin | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.14.2 |_http-title: 403 Forbidden MAC Address: 08:00:27:3B:BE:8A (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 TCP/IP fingerprint: OS:SCAN(V=7.98%E=4%D=3/9%OT=80%CT=%CU=40641%PV=Y%DS=1%DC=D%G=N%M=080027%TM= OS:69AE8015%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=Z%CI=Z%II=I%T OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5= OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S) Uptime guess: 1.063 days (since Sun Mar 8 14:37:30 2026) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 9 16:08:53 2026 -- 1 IP address (1 host up) scanned in 7.55 seconds
UDPScan
# Nmap 7.98 scan initiated Mon Mar 9 16:09:13 2026 as: nmap -sU --top-ports 32 -oN udpscan 192.168.1.12 Nmap scan report for five (192.168.1.12) Host is up (0.00044s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 111/udp closed rpcbind 123/udp open|filtered ntp 135/udp closed msrpc 136/udp open|filtered profile 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp closed netbios-ssn 161/udp open|filtered snmp 162/udp closed snmptrap 445/udp open|filtered microsoft-ds 500/udp closed isakmp 514/udp closed syslog 520/udp open|filtered route 631/udp open|filtered ipp 996/udp closed vsinet 997/udp open|filtered maitrd 998/udp closed puparp 999/udp open|filtered applix 1434/udp closed ms-sql-m 1701/udp closed L2TP 1812/udp open|filtered radius 1900/udp closed upnp 3283/udp closed netassistant 4500/udp closed nat-t-ike 5353/udp open|filtered zeroconf 49152/udp open|filtered unknown 49153/udp closed unknown 49154/udp open|filtered unknown MAC Address: 08:00:27:3B:BE:8A (Oracle VirtualBox virtual NIC) # Nmap done at Mon Mar 9 16:09:24 2026 -- 1 IP address (1 host up) scanned in 10.90 seconds
Web
First I access the homepage which give me 403. Then the /admin give me a login form. I try some
common credentials and simple SQLi, but nothing return.
Then I enumerate this web service by feroxbuster and some interesting endpoints stand out.
❰curtain❙~/workspace/shooting/hmvm/five❱✘≻ feroxbuster -u http://192.168.1.12/ -w /usr/share/wordlists/dirb/common.txt -x php,txt,html ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.13.1 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.1.12/ 🚩 In-Scope Url │ 192.168.1.12 🚀 Threads │ 50 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.13.1 💉 Config File │ /home/curtain/.config/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, txt, html] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 7l 12w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 169c http://192.168.1.12/ 301 GET 7l 12w 185c http://192.168.1.12/admin => http://192.168.1.12/admin/ 200 GET 1l 2w 23c http://192.168.1.12/admin/action_page.php 200 GET 176l 445w 3866c http://192.168.1.12/admin/index.html 200 GET 2l 1w 17c http://192.168.1.12/robots.txt 301 GET 7l 12w 185c http://192.168.1.12/uploads => http://192.168.1.12/uploads/ 200 GET 2l 8w 48c http://192.168.1.12/upload.php 200 GET 15l 29w 346c http://192.168.1.12/upload.html 403 GET 7l 10w 169c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter [####################] - 2s 55392/55392 0s found:8 errors:0 [####################] - 2s 18456/18456 11351/s http://192.168.1.12/ [####################] - 2s 18456/18456 12174/s http://192.168.1.12/admin/ [####################] - 1s 18456/18456 20714/s http://192.168.1.12/uploads/
Finally the /upload.html endpoint catches my eyes after interact with these endpoints.
Foothold
API Vuln(Parameter Abuse)
I can control the directory path of the upload file after I test it. Since I cannot access the
webshell from the default uploads directory. I upload the webshell to root directory of website.
www-data@five:~/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@five:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on five:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on five:
(melisa) NOPASSWD: /bin/cp
The /bin/cp can read and write files which I learn from GTFBins. The first thing come to my mind is
copy the ssh key of user melisa or write our own ssh public key to direcory of melisa, but the ssh
service is not enabled default, then I discover there is a ssh service but only for localhost by ss -tlnp.
www-data@five:/$ nc 127.0.0.1 4444 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
So the question become how to mapping that service for me? I Google with that keyword then the port mapping(forwarding) catch my eyes.
What I need is something like this:
guest(me or others) <-----> target_machine's mapping port (ie: 2222) <------> target_machine's localhost:4444 (ssh service)
So I achieve this target by following:
tldr socat socat tcp-listen:2222,fork tcp4:127.0.0.1:4444
Privilege Escalation
After I pivot to user melisa then I discover that her sudo rule will hint me to LOTL(Live of the
land), Since all the commands can be executed are built-in with system. Ultimately, I find the
exploit on GTFBins