# Proving grounds Play: Payday

Proving grounds Practice - Payday CTF writeup.

### Nmap

```
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
```

### 80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

#### Directory Search

![img](/files/D0gUuexeru8YXjdvxFWs)

**Admin login**

<http://192.168.195.39/admin>

> Credential: `admin:admin`

CS-cart software is vulnerable to [Remote Code Execution](https://www.exploit-db.com/exploits/48891).

Rename the pentest monkey php reverse shell to `.phtml` file and uplaod it to the template editor menu as new template. Direct the below url to trigger the reverse shell.

<http://192.168.195.39/skins/shell.phtml>

![img](/files/l88xs69MDIWqEQ2tdj2y)

**Initial Foothold Obtained**

### Privilege Escalation

Upon recon it was found that there are 2 users in the system which are `patrick` and `root`.

Brute forcing the SSH credentials for the user patrick using hydra have failed and as an alternative used `ncrack` to crack the password.

> Credential: `patrick:patrick`

![img](/files/NNTxj0H6DFxsDk5q7Bgm)

> Note: Always try to login to SSH using password as same as username.

Upon recon it was found that the user patrick can run ALL, run `sudo su` to obtain root.

![img](/files/VoVKaJjlxrq2EHchQAqL)

**Root Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-10-19-proving_grounds_practice-payday.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.