Saturday, February 2, 2019



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Europa, what is a retired machine from the Hack The Box pentesting platform:


- Europa's IP is

- Scanning with Nmap:

- Going deeper with the scanning:

- So there are two domains that should be added to the /etc/hosts file:

sslyze is also able to find both domains:

- Connecting to admin.portal we have a Login form:


- The exploitation process consists of two steps:

3.1 - Database exploitation

- Let's start by exploiting with sqlmap any potential database at Europa:

sqlmap has different options to be used, for instance:

- Launching sqlmap against Europa's administrator portal we find two databases:

- Going deeper with database admin and dumping all available information:

- Decrypting the password, what is common for both users:

- Now we can login successfully to the admin-portal console with admin's email and his password SuperSecretPassword! 

3.2 - PHP code exploitation

- Once logged in, the Dashboard has got a Tools tab:

- Going to Tools we find a VPN generator script:

- Intercepting the VPN generation with Burp:

- So there is a parameter called pattern, what is used by the preg_place PHP function in this way:

- One of the modifiers is the /e feature, what has been deprecated in later versions of PHP because of its associated vulnerabilities:

- As said before, the modifier e is the origin of this vulnerability:

- Here is another interesting explanation about this vulnerability:

- So basically what modifier e does is to evaluate the subsequent string as PHP code.

- We can take advantage of this circumstance to handle the user input by adding the e modifier to the pattern parameter:

- Going to Burp and sending the input to the Repeater let's try to read /etc/passwd:

- Now, creating a shellcode with Msfvenom:

- Encoding as URL format:

- Adding to Burp request:

- Setting a listener session:

- Finally, launching the Burp Repeater we achieve a shell reverse connection:

- Improving the shell:

- The current user is www-data:


- Reading user.txt:


- Looking at the crontab jobs, there is one task called clearlog running every minute by the user root, what can be interested to be exploited:

- Reading clearlogs:

- So what we need to do is to replace content of with an exploitation code of our interest. 

- By the way, does not even exist at the moment, so it must be created from the scratch:

Msfvenom comes again to our help, now using a different port than before:

- Setting a listener session at port 6666:

- Echoing the exploit to

- The script is successfully created:

- Giving running privileges:

- Now, if we don't wait the crontab time period and execute the script by ourselves it happens that the shell is run by www-data (not by root) so we have a low privilege shell:

- However, stopping the last session, launching a new one, and waiting the crontab task until is run by root we finally achieve a reverse root shell:


- Reading root.txt: