Enumeration

Nmap

Initial Nmap scan revealed HTTP and SSH ports were open.

00 - nmap

WEB Enumeration

The website was Grav CMS website.

01 - webb

02 - grav

I found admin login page on the website. Tried some default credentials but none of them worked.

03 - admin page

Exploitation

CVE-2021-21425

While searching grav exploit on google, I found a post from mehmet ince which explains a unauthenticated RCE on grav cms. It also included metasploit script.

04 - found a post

And found a github repo that included exploit script for this CVE.

05 - github

I tried to exploit and it worked. I got a reverse shell.

06 - exploit

07 - shell

Metasploit script also worked and got me a reverse shell.

08 - msfconsole shell

Privilege Escalation

admin.yaml

While searching through web files I found a yaml file which included admin’s hashed password. I tried to crack it but could not. So it was useless.

10 - admin yaml

PHP (SUID Bit)

I checked SUID binaries and found that PHP was SUID binary.

11 - php

I found GTFOBins page for php SUID exploitation.

11 - 0 php

Then applied the steps and got root.

12 - gg

<
Previous Post
AuthBy - Proving Grounds Practice
>
Next Post
Pelican - Proving Grounds Practice