Skip to content

Hetemit -- Proving Grounds (write-up)

Difficulty: Intermediate Box: Hetemit (Proving Grounds) Author: dsec Date: 2025-05-29

TL;DR

Gained initial access through open services. Privesc by editing a writable systemd service file and rebooting via sudo.

Target info

  • Host: 192.168.238.117

Enumeration

Nmap results:

Nmap results

Nmap results continued

Web enumeration

More enumeration

Ran enum4linux:

enum4linux -a -u "" -p '' 192.168.238.117

enum4linux results

Exploitation

Initial access

Shell

Enumeration on target

Troubleshooting

More troubleshooting

Privilege escalation

Checked sudo permissions:

sudo -l

sudo -l

Ran linpeas:

linpeas

Found writable systemd service:

Writable service

/etc/systemd/system/pythonapp.service is writable and we have sudo -l permissions for /sbin/reboot. Edited the service to include a reverse shell:

vi /etc/systemd/system/pythonapp.service
  • Changed ExecStart to a reverse shell and User to root.

Then rebooted:

sudo /sbin/reboot

Caught root shell on listener.

Lessons & takeaways

  • Always check for writable systemd service files with linpeas
  • If you can sudo reboot, writable service files are an easy privesc path
  • Edit ExecStart and User fields in the service file to escalate