Machine Synopsis

Compromised is a hard Linux machine that features an `Apache` web server running on port 80. The web server features a `LiteCart` installation, and enumeration reveals a backup copy of the live website. Analysis of the backup suggests that the website has already been compromised. Malicious code in one of the PHP files leads to a hidden log on the server, which contains valid credentials for the `LiteCart` admin panel. These credentials can be used to exploit an `Arbitrary File Upload` vulnerability in version `2.1.2` of the `LiteCart` software, in order to upload and execute `PHP` code. This proves difficult as most code execution related functions have been disabled. However, a bypass is found for PHP versions `7.0-7.4`. Through code execution and the analysis of the web server files, valid credentials for the `MySQL` database are found. Enumeration of the database for `User Defined Functions` identifies a backdoor for executing code in the context of the MySQL user. This is leveraged to gain SSH access to the machine in the context of the MySQL user. The user's home folder contains a log file, the contents of which are identified as the output of an `strace` keylogger. Analysis of the logged keys reveals the password for the `sysadmin` user, who we move to. In order to achieve privilege escalation to the `root` account, users must undertake a forensic analysis of the affected system, which reveals that two rootkits are installed. The first is a shared library called `libdate.so`, which has been set to execute during `read` system calls using LD_PRELOAD. The second is a malicious `pam_unix.so`, which was used to replace the original file of the same name, and is called every time an authentication request is made. Both of these files contain hardcoded master keys that once inputted, allow users to escalate to the `root` account.