Hi everyone
Today we are going to look for a Box called Snookums which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.118.58
I discovered these ports are open:
- 21/tcp – FTP Service running vsftpd 3.0.2 (Anonymous login allowed)
- 22/tcp – SSH Service running OpenSSH 7.4 (protocol 2.0)
- 80/tcp – HTTP Service running Apache httpd 2.4.6 (CentOS) PHP 5.4.16
- 111/tcp – RPC Service running rpcbind (RPC #100000)
- 139/tcp – NetBIOS Service running Samba smbd (3.X – 4.X)
- 445/tcp – SMB Service running Samba smbd 4.10.4
- 3306/tcp – MySQL Service (Unauthorized access)
- OS: Linux (Likely CentOS / Unix-based system)
- Hostname: SNOOKUMS
- SMB Signing: Enabled but not required (Potential risk)
Then I went ahead and checked the IP in the web browser and I found Simple PHP Photo Gallery running:
A quick gobuster scan shows readme.txt, images, image.php etc:
A quick search shows a exploit :
Exploitation
The above exploit didn’t worked for me , so I used the typical php reverse shell from /usr/share/webshell/php/php-reverse-shell.php and hosted in on my system and exploited the RFI issue:
I got the initial foothold, however I was not able to stabilize the shell because of python3 and I found a user called michael:
I discovered the MySQL root credentials from configuration file called db.php:
I found the base64 encoded credentials:
Privilege Escalation
So I decoded the credentials. I found the local.txt flag
Now it was a time for escalating the privileges. So I logged in with michael creds.
I escalated privileges by exploiting the fact that the user michael had write access to /etc/passwd. I generated a password hash, then added a new user entry with UID and GID set to 0, effectively creating a root-level account. After that, I logged in using the new credentials and confirmed root access since any user with UID 0 is treated as root by the system.
The above image shows the proof.txt file.
Key Takeaways
- Enumeration isn’t just about ports — services like FTP, SMB, and MySQL together often reveal the full attack surface.
- Anonymous or misconfigured services (like FTP) can leak sensitive files that shortcut the entire attack chain.
- Web vulnerabilities combined with file access can quickly turn into remote code execution if you control what gets loaded.
- Credentials discovered in one place should always be tested everywhere — reuse is more common than expected.
- Low-privilege access is just the beginning — always look for writable paths, scheduled executions, or weak permissions.
- Misconfigured permissions are often more powerful than exploits — control what gets executed, and you control the system.
- Reliable enumeration and chaining small weaknesses together is what leads to full compromise — not a single complex exploit.
If you enjoyed this post, share it with your friends and colleagues!