Enumeration

Nmap

Initial nmap scan revealed HTTP and SSH ports were open.

00 - nmap

WEB Enumeration

When I visited the website I was forwarded to exfiltrated.offsec domain so I updated /etc/hosts file.

01 - domain name

02 - etc hosts

Then searched the website and found admin panel which uses Subrion CMS v 4.2.1

03 - admin panel

Then tried credentials admin:admin and it worked.

04 - admin admin

Exploitation (Directly Root)

Getting Shell as www-data

Then I searched this version and found it was vulnerable to RCE.

05 - exploit

I simply ran the exploit and got a webshell.

06 - revshell

However, webshell was restricted I could not enumerate the host. So I uploaded pentest monkey reverse shell as phar file and changed to that shell.

07 - pentestmonkey

08 - shell par

09 - updated shell

pspy64

Then I tried many privilege escalation methods and none of them worked. I later ran pspy64 and found out a cron was running as root.

10 - pspy64 root

I then checked that sh file and found that it was using exiftool to read metadata of files.

11 - exif sh

CVE-2021-22204

Then I searched the internet and found this INE Post which explains a privilege escalation vector through exiftool. It was simply command injection because of the improper handling of djvu files.

Then I found jpg image creator for this exploit and I executed it to create malicious image file.

12 - dejavu img

Then uploaded this file to folder where the cron script reads jpg files from. Waited 1 minute and the cron script got executed. Then I simply exploited SUID bit in bash and got root shell.

13 - got the root

<
Previous Post
Access - Proving Grounds Practice
>
Next Post
Twiggy - Proving Grounds Practice