PetVet Writeup

Anees P K
Published on
20 Sep 2020
5 min read


Nobody likes animal cruelty! These veterinarians are running something bad behind the front, bust them out!


By accessing the URL you’ll get a Pet Veterinary site. There’s a contact form in it.

But nothing actually happens. By inspecting the site source code, you can see that there’s a commented out form element and the action is a php file.


While accessing the file, it’s downloadable and there’s some interesting information. Especially the hardcoded db credential.


Okay, let’s check the possibilities here, maybe there’s a backend and how do people often manage databases on the web?

Well there’s phpmyadmin. Let’s check for that by appending phpmyadmin or phpma with the URL.


Voila! There’s phpmyadmin. Let’s try the credentials now!


Good! It’s working. Now you know there’s a db there and the version of the application.

Doesn’t it look too old? Now you can search for RCE vulnerabilities for the specific version. And you might come across CVE-2016-5734 which is an authenticated RCE vulnerability in PhpMyAdmin 4.3.0 - 4.6.2. And there’s public exploits available!

Let’s try if we can get RCE.

Here I am using the modified version of this exploit.


So there’s folder we write to upload and let’s check the user.


And it’s www-data. So we can write in this directory. By analysing the server directory you might come to an interesting folder in /run/


The server is running inside Kubernetes. If you’re a kube guy then you know what to do! ;).

For those who are not familiar with Kubernetes, it orchestrates containers and runs them in pods, and a pod is linked with a service account.

And you can run kubernetes commands from a pod if you have access to the pod. In order to do that you need the kubectl binary. So there’s a directory writable. Let’s try downloading and executing some kube commands here!


Now, let’s see what we can access with the service account inside the pod. In order to do that we can run kubectl auth can-i --list


As you can see you have access to pods,configmaps and pods/exec. Configmaps are a really interesting config to checkout.

Let’s check the configmaps with kubectl get configmaps -o yaml


There’s a really weird listed and an interesting It’s listed that there’s two namespaces, default and corona. Corona seems interesting. Let’s try to get pods running in the corona namespace.

kubectl get pods -n corona


There are two pods running in corona. Remember the pods/exec resource access? Let’s try to execute commands inside any of the pods running inside corona namespace.

kubectl exec -n corona <pod-name> <command>


Yes! There is something called a flag inside that pod. Let’s try to describe it.


Yes! Inside the flag directory there’s the flag!

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anees P K
Anees P K
DevSecOps Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.