Skip to content

Spx 🔸

Enumeration

We have a tiny file manager login page.

None of the default credentials work. Using feroxbuster, we have a phpinfo.

Looking at the phpinfo, we see spx.

Searching the web, we find an issue for a path traversal: https://github.com/NoiseByNorthwest/php-spx/issues/251

So using caido, we can use the spx key filtered by phpinfo and...

Looking at the tinyfilemanager repository, we find that the users are hardcoded in the index.

So we go to the index and...

$auth_users = array(
    'admin' => '$2y$10$7LaMUa8an8NrvnQsj5xZ3eDdOejgLyXE8IIvsC.hFy1dg7rPb9cqG',
    'user' => '$2y$10$x8PS6i0Sji2Pglyz7SLFruYFpAsz9XAYsdiPyfse6QDkB/QsdShxi'
);

Using hashcat:

Initial Access

Now we can access the file manager and upload a reverse shell.

Privilege Escalation

We can pivot to the profiler user using the lowprofile password from before.

Get the flag.

We can use make with sudo.

Create a Makefile:

install:
    chmod +s /bin/bash

Post Exploitation

Get the flag.