We covered Practical Command Injection examples with Burp Suite to solve Challenge 008 in OWASP Hackademic free lab.
This demonstration highlighted a common post-exploitation technique where an attacker, having initial access, searches for further credentials or misconfigurations to elevate their privileges to the highest level on a compromised system.
The Scenario: Gaining Root Access
The starting point of the video was a web server that had already been compromised with a PHP shell. However, the existing access wasn’t sufficient; I needed root access to execute certain commands, specifically the su (switch user) command, which requires elevated privileges.
Finding and Decoding Credentials
To achieve root access, I needed credentials. I used Burp Suite to intercept the web traffic. By listing the files in the current directory through the PHP shell, I discovered a file named b64.txt.
Upon inspecting b64.txt, I found that it contained a base64 encoded string. This was a strong indicator that it held some form of hidden information.
To reveal the credentials, I used a command-line tool to decode the base64 string. This successfully unveiled a username and password.
Here’s the conceptual command I used in the terminal for decoding: echo "base64_encoded_string_here" | base64 --decode
Gaining Root Access
With the newly found username and password, I then used the su command within the PHP shell, providing the decoded credentials.
Here’s the conceptual command I used in the terminal to switch user: su - username
This action successfully granted me root access to the server, completing the privilege escalation!
