Snookums Proving Grounds Write-Up

SUMMARY

This write-up covers the Snookums machine from Offsec’s Proving Grounds, a Linux machine where a photo gallery RFI vulnerability chained with a writable /etc/passwd led to root.

Port 80 ran Simple PHP Photo Gallery, which had a Remote File Inclusion vulnerability. Exploiting the RFI parameter loaded a remote PHP webshell, achieving code execution as www-data. A database configuration file (db.php) contained cleartext MySQL credentials encoded in Base64, which were decoded and reused to SSH in as michael.

Privilege escalation was straightforward: /etc/passwd was world-writable. A crafted entry with a known password hash was appended for a new root-equivalent user, and switching to that user granted a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & Simple PHP Photo Gallery Discovery
2. RFI Exploitation → Webshell as www-data
3. db.php Base64 Credential Extraction → SSH as michael
4. World-Writable /etc/passwd Discovery
5. Crafted Root Entry → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.