Post

Mkingdom

Mkingdom

Mkingdom

🔍 Port Scanning

🕵️ As always, let’s start with an nmap scan: Pasted image 20260610193852.png Yes, only one port is open. Pasted image 20260610194044.png Well, it’s cute. Pasted image 20260610194520.png Yes, time to explore! Pasted image 20260610201453.png Checking the app URL, when we click ‘jump’, we are redirected to a blog: Pasted image 20260610201604.png At the bottom, you can see the login page: Pasted image 20260610201626.png And we know the username: Pasted image 20260610201710.png I brute-forced it and found the password:

Pasted image 20260610201407.png

📂 File Manager Exploitation

💻 We have access to a file manager. Let’s try to upload a PHP reverse shell. However, we need to allow PHP files first: Pasted image 20260610202153.png Pasted image 20260610202209.png Go to settings and add the .php extension. As always, I used the PentestMonkey reverse shell: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Done. Pasted image 20260610202651.png It shows the URL in the properties: Pasted image 20260610202720.png

🕵️ Privilege Escalation to toad & mario

💡 Once we got the shell, we needed to escalate privileges, so I searched for passwords: Pasted image 20260610205005.png And I found it in:

1
/var/www/html/app/castle/application/config/database.php

We can confirm the username by listing files in the home directory: Pasted image 20260610205217.png Pasted image 20260610205305.png We found user toad: Pasted image 20260610205419.png After exploring a bit, I didn’t find much, so I checked the environment variables: Pasted image 20260610210046.png

I guessed that PWD contained a password, so I decoded it: Pasted image 20260610210148.png

Then I switched user (su) to mario: Pasted image 20260610210233.png Well, I got in: Pasted image 20260610210337.png Yes, I got a bit excited! We can’t use cat, so we need to use an alternative. I tried nano, but it said: Pasted image 20260610214832.png We got an error, which we can fix using:

1
export TERM="xterm"

Pasted image 20260610222251.png

We need root even to read user.txt: Pasted image 20260610212505.png

⚡ Cron Job Exploitation to root

📌 So I ran https://github.com/dominicbreuker/pspy to get any clues:

1
2
3
4
2026/06/10 11:47:57 CMD: UID=0     PID=1      | /sbin/init
2026/06/10 11:48:01 CMD: UID=0     PID=2837   | 
2026/06/10 11:48:01 CMD: UID=0     PID=2836   | 
2026/06/10 11:48:01 CMD: UID=0     PID=2835   | /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.log 

I think I found it. It is a cron job that downloads counter.sh from the URL, executes it, and appends the log to up.log.

So, if we host a malicious counter.sh at the same path on our local machine and edit the hosts file, we are good to go. Let’s see: Pasted image 20260610213841.png Yes, we can edit the hosts file. First, let’s create a reverse shell script and host it: Pasted image 20260610214503.png Pasted image 20260610215235.png And I made the bash file.

I set up the path and started the server. Remember to use port 85! Pasted image 20260610214648.png Let’s test this:

Pasted image 20260610221803.png It worked! Let’s see: Pasted image 20260610221855.png We got root access! Pasted image 20260610222111.png

This post is licensed under CC BY 4.0 by the author.