In this technical post-mortem, we detail the end-to-end compromise of "Expose," a Linux target designed to test multi-stage exploitation. The attack path moved through non-standard service discovery, source code leakage via LFI, and ultimately, an escalation to root through misconfigured system binaries.

Phase 1: Reconnaissance and The Port 1337 Discovery

UKC: Reconnaissance | MITRE: T1595 (Active Scanning)

The operation began with an aggressive Nmap scan. While standard web ports (80/443) appeared closed, the scan revealed a high-port service: 1337/TCP. Initial inspection confirmed this was an Apache web server.

Initial Discovery:

  • Port 1337: HTTP (Apache)
  • Port 1883: Mosquitto MQTT
  • Port 22: SSH
  • Port 21: FTP

The Dead End: We initially investigated the FTP service for anonymous access and the Mosquitto service for unauthenticated message sniffing. While these services were active, they served as "noise" or secondary vectors that did not provide immediate entry. The primary focus shifted to the "hidden" web application on Port 1337.

Phase 2: Web Enumeration and LFI Discovery

UKC: Weaponization | MITRE: T1505.003 (Web Shell)

Standard fuzzing and directory brute-forcing on http://<TARGET_IP>:1337/ revealed several interesting paths. While /admin and /phpmyadmin were found, they were well-secured against initial credential-stuffing attacks.

The breakthrough occurred upon discovering /file1010111/. This directory contained a PHP script with a visible parameter: ?file=. Testing for Local File Inclusion (LFI) (T1083), we successfully read /etc/passwd.

Source Code Leakage:

By leveraging the LFI, we pivoted from system files to application logic. We were able to read the contents of config.php, which revealed hardcoded credentials for a MySQL database user: zeamkish.

Phase 3: Exploitation and Gaining a Foothold

UKC: Delivery & Exploitation | MITRE: T1190 (Exploit Public-Facing Application)

Using the leaked database credentials, we accessed a secondary, more obscure administrative portal found at /admin_101/. Within the database logs stored there, we found a cleartext password used for an "Upload CV" session.

We navigated to /upload-cv00101011/. This portal was a custom-built PHP application.

  1. The Attack: We attempted to upload a standard .php reverse shell.
  2. The Bypass: The server had a basic extension filter. We bypassed this by naming the file shell.php.jpg and using a proxy tool to rename the extension back to .php during the transit.
  3. The Result: Upon navigating to the uploaded file location, the server executed the PHP code, granting us a reverse shell as the www-data user.

Phase 4: Horizontal Escalation to Zeamkish

UKC: Internal Reconnaissance | MITRE: T1078 (Valid Accounts)

As www-data, we were trapped in a low-privilege environment. We used the existing LFI vulnerability one last time to look for user-specific secrets. We identified a file in the home directory of the user zeamkish named ssh_creds.txt.

The credentials found in that file allowed us to abandon the unstable web shell and establish a persistent, high-quality SSH session (T1021.004). This gave us our first foothold as a legitimate system user.

User Flag Captured: THM{USER_FLAG_1231_EXPOSE}

Phase 5: Vertical Privilege Escalation (The Root Takeover)

UKC: Privilege Escalation | MITRE: T1548.001 (Setuid and Setgid)

Once logged in as zeamkish, we ran a search for binaries with the SUID (Set User ID) bit enabled. This is a critical misconfiguration where a program runs with the authority of the file owner (root) rather than the user.

The Discovery:

/usr/bin/find was found to be SUID root.

The Exploitation:

The find utility has a built-in -exec flag that allows it to run system commands. Because the binary was running as root, any command executed through it would inherit those permissions.

We executed the following "GTFOBins" escape:

zeamkish@expose:~$ /usr/bin/find . -exec /bin/sh -p \; -quit

The -p flag is vital here; it tells the shell to maintain the effective user ID. Immediately, our prompt changed from $ to #, signifying full administrative control.

Phase 6: Action on Objectives

UKC: Action on Objectives | MITRE: T1531 (Data Exfiltration)

With root privileges, the entire file system was unlocked. We navigated to the /root directory to secure the final proof of compromise.

Root Flag Captured: THM{ROOT_EXPOSED_1001}

Summary of Findings

Vulnerabilities Exploited:

  1. Non-Standard Port Obscurity: Service was hosted on Port 1337, assuming it would avoid detection.
  2. Local File Inclusion (LFI): Improper sanitization of the file parameter allowed reading of sensitive source code (config.php).
  3. Credential Leakage: Plaintext credentials for both the database and SSH were stored in accessible files.
  4. Insecure File Upload: Failure to validate file types on the server side allowed for Remote Code Execution (RCE).
  5. SUID Misconfiguration: The find binary was granted root-level execution permissions, allowing a total system breakout.

MITRE ATT&CK Mapping:

  • Reconnaissance: Active Scanning (T1595)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Command and Scripting Interpreter (T1059)
  • Persistence: Valid Accounts (T1078)
  • Privilege Escalation: Abuse Elevation Control Mechanism (T1548.001)

This machine serves as a textbook example of why Defense in Depth is necessary. No single vulnerability was enough to take down the system, but the chain — starting from a simple LFI on a hidden port — led to total being exploited.

END OF REPORT