A penetration test was conducted on the target machine 10.115.0.150.18 (hostname: snare.ptd). The assessment revealed critical vulnerabilities, including Remote File Inclusion (RFI) leading to initial access and misconfigured file permissions on /etc/shadow, allowing privilege escalation to root.
Key Findings:
Remote File Inclusion (RFI) in index.php leading to code execution.
At the first glance the url build like /index.php?page=home, this indicate potential Local File Inclusion or Remote File Inclusion.
Reverse Shell Obtained:
Gained access as www-data.
Stabilized shell:
Privilege Escalation (Root via /etc/shadow Modification)
Manual enumaration find that, /etc/shadow can be edit by global user. With the persmission, we can change root hash with crafted one. I will use mkpasswd with password smallcurl.
Discovery:
/etc/shadow had world-writable permissions:
Exploitation:
Generated a new root password hash (smallcurl):
Replaced root’s hash in /etc/shadow.
Logged in as root via SSH or change user (su)
Findings & Vulnerabilities
1. Remote File Inclusion (RFI)
Risk: Critical
Description:
The page parameter in index.php allows arbitrary file inclusion, leading to remote code execution (RCE).
Proof of Concept (PoC):
Impact:
Unauthenticated attackers can execute arbitrary commands as www-data.
2. World-Writable /etc/shadow
Risk: Critical
Description:
The /etc/shadow file had 777 permissions, allowing any user to modify passwords.
Impact:
Any low-privileged user can escalate to root by replacing the root hash.
Recommendations
Remote File Inclusion (RFI)
Sanitize user input in index.php.
Use a whitelist approach for file inclusion.
Disable remote URL inclusion in PHP (allow_url_include=Off).
/etc/shadow Permission Misconfiguration
Restrict /etc/shadow permissions:
Audit system-critical files for incorrect permissions.
Conclusion
The target machine was fully compromised due to Remote File Inclusion (RFI) and misconfigured /etc/shadow permissions. Immediate remediation is required to prevent unauthorized root access.
Next Steps:
Patch the RFI vulnerability.
Correct /etc/shadow permissions.
Conduct a full system audit for similar misconfigurations.
Report Author: whymir
Date: 28/3/2025
Last updated
nmap -sCV -p- --open --min-rate=1000 $IP -vv -o scvnmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 2f:0e:73:d4:ae:73:14:7e:c5:1c:15:84:ef:45:a4:d1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTwC6g2x1Xawbb8OgTWFp9xBwvovIW5Wzi+brOV9fgBvHZxZFu3YFO1dWmJkRVKnwULirMinwwKODQgp20Rn9ELAyoJpWZnfzJgs3Lj/P1XBAO7qXJCwVz5sdOA6Cm9fct/62d5UqSuu7MMBde58BDDhYYVF8gGlpuBgISidPmGEKLRhlkuKzUlWMU4O48MDDPEK/HVxaaKl1UJnA7B2ri9a9T/5Xrl2B1rQgSdo369Fy63QSBCb+8DfVxHHfr2KxHkCZsz+a/u8UDWt6hnCYhhFrT09zmSuEMZCCDonA+XxsuzXhxw2w8sMfsQunTp039lGPW5/l8GW/mEekL+ZvG0XwarHIck3zzgl3UW29rPI74l/2P9xsgmsDHhY7VrF3e89SWG4ZwbQwx4IE5BsXS+SyzR14NXVs2u5/9j+hYw4QKgQXZL5QQcawNelTUe85/z46t4iM8OE44OeUfiX6xySgFLP0lWoXb5fAqV/PnmSRgWD7Am/uA+7L7slNNpc0=
| 256 39:0b:0b:c9:86:c9:8e:b5:2b:0c:39:c7:63:ec:e2:10 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmiszcF9/ODPO+E1DJqmOTFzU9x8my1YjSU0kQ/0wP4rWOM6n842lfVnetuBSK8atTyLQldVvOvDUC1dbmebXQ=
| 256 f6:bf:c5:03:5b:df:e5:e1:f4:da:ac:1e:b2:07:88:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJhRxho5TB813oD6OcYI0wGuykFwNAdb+8DyOCwtjPY
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to my homepage!
|_Requested resource was /index.php?page=home
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
