Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

00 - nmap

Web Enumeration

The website was Tiny File Manager site. I tried default credentials but they did not work.

01 - web

I then executed nuclei and found phpinfo.php file was available in site.

00 - nuclei

Then visiting the endpoint revealed SPX 0.4.15 was in use.

02 - spx

Exploit

CVE-2024-42007

SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files.

At first I searched for exploits and found one on github. But it was using hardcoded SPX_KEY value as seen in the image.

03 - found an exploit

So as seen in phpinfo.php endpoint our SPX_KEY was a2a90ca2f9f0ea04d267b16fb8e63800 and all I need to do is add SPX_UI_URI with it to apply path traversal.

04 - directory traversal

At first I read /etc/passwd. Then I read index.php file and found 2 hashed password.

05 - passwords

Then simply cracked them using hashcat with rockyou.txt.

06 - cracked

And logged in as admin.

07 - admin login

Later, I uploaded a reverse shell and visiting the endpoint got me www-data shell.

08 - revshell

09 - revshell

Cracked Password

After obtaining www-data shell I tried to switch to profiler user by trying two cracked passwords. lowprofile worked and I got user flag.

10 - local

Privilege Escalation

sudo make install

I could run make install inside php-spx directory as sudo.

11 - sudo l

So at first I checked Makefile and found out it was executing shell commands.

12 - makefile

So I simply updated it to add chmod +s /bin/bash.

13 - updated makefile

Then executed it and got root shell.

15 - gg

<
Previous Post
PyLoader - Proving Grounds Practice
>
Next Post
hokkaido - Proving Grounds Practice