Payday -- Proving Grounds (write-up)¶

Difficulty: Easy Box: Payday (Proving Grounds) Author: dsec Date: 2024-08-07

TL;DR¶

Default admin creds on a web app led to a PHP reverse shell. Found MySQL creds and password reuse for a local user who had full sudo privileges.¶

Enumeration¶

Nmap results

Web enum

Directory enum

More enum

Service discovery

Web app

App details

Exploitation¶

Found /admin.php with default credentials:

admin:admin

Admin panel

Used a PHP Ivan shell from revshells to get a reverse shell.

Privilege escalation¶

Found MySQL running:

MySQL discovery

MySQL enum

mysql -h 127.0.0.1 -u root -p

Found SSH authorized key:

SSH key

Checked for SUID binaries:

SUID

Found interesting backup/config files: - /var/lib/belocs/hashfile.old - /var/backups/infodir.bak - /etc/dovecot/dovecot.conf.bak - /var/cache/debconf/passwords.dat - /etc/mysql/conf.d/old_passwords.cnf

Password reuse: patrick:patrick

su patrick
sudo -l

sudo -l

Full sudo privileges.

Lessons & takeaways¶

Always try default credentials on admin panels -- admin:admin still works more often than you'd think
Check MySQL for stored credentials and SSH keys
Password reuse between database users and system accounts is a common privesc path