Potato
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started, as usual, with autorecon, which revealed three open ports:
SSH (22)
HTTP (80)
FTP (2112)
Service Analysis
While I had background fuzzers running on HTTP, I started interacting with the FTP service since it allowed anonymous logins.
FTP Service
Upon connecting to the FTP service anonymously, I discovered two files:
welcome.msg
index.php.bak

The presence of the backup file immediately caught my attention, it hinted at potential misconfigurations or hidden clues or maybe a rabbit hole, we will see.
Web Application
Exploring the web server, I found an admin login page located at
/admin/index.php
.I tried multiple password combinations and even launched a brute-force attack targeting the user admin in the background. However, nothing worked, my attention kept returning to the suspicious
index.php.bak
file from the FTP server.
Vulnerability Discovery
After some online digging, I learned about an interesting behavior related to PHP’s
strcmp
function.It turns out that if
$_GET['password']
is set to an empty array,strcmp
returnsNULL
. Due to PHP’s quirky type juggling, the comparisonNULL == 0
evaluates to true.So I started Burp Suite, and it worked! I was able to bypass authentication and gain access to the admin panel.

Gaining Initial Access
Inside the admin panel, I discovered a function that allowed retrieval of log files. This feature turned out to be vulnerable to Local File Inclusion (LFI).

Exploiting the LFI, I managed to pull the passwd file from the server. Once in possession of this file, cracking the password for the user webadmin was a breeze, the password was
dragon
.

Privilege Escalation
With user-level access secured, I ran
linpeas.sh
to see what else the system had to offer. The scan indicated that the target might be vulnerable to CVE-2021-3560. I tried several proof-of-concept exploits and even attempted a manual exploitation, but none of the approaches worked.As I was about to give up, I checked the sudo privileges with
sudo -l
and found something neat: I could run/bin/nice
on any file under/notes/*
.

I created a bash script and placed it in the
/tmp
directory. Running the following command:
/bin/nice /notes/../tmp/bash.sh
which granted me root access, proving to be a much simpler path than wrestling with the CVE exploit.
Lessons Learned
PHP Type Juggling: A subtle bug in PHP allowed an authentication bypass by exploiting the way
strcmp
handles an empty array input.Sudo Misconfiguration: The ability to run
/bin/nice
on/notes/*
without a password provided a straightforward path to privilege escalation.
Last updated