Enumeration

Nmap

Initial Nmap scan revealed SSH and port 8000 was open.

00 - nmap

WEB Enumeration

Website was Gerapy website.

01 - Gerapy

Tried admin:admin default login and it worked.

02 - gerapy 0 9 7

Exploitation

CVE-2021-43857

Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.

While searching I found out this version was vulenrable to Authenticated RCE.

04 - exploit db

I ran the exploit but it did not work and gave error index out of range. After some research I understood that I need to create a project first, so I did.

03 - added a project

Then I ran the exploit and got a reverse shell.

05 - exploit

06 - shell

Then I simple read the user flag.

07 - flag

Privilege Escalation (Capabilities SetUID)

Python SetUID

I checked capabilities through both manual checking and with linpeas and found that python had setuid capabilities.

08 - python setuid priv

08 - python setuid priv 2

I simply obtained root by calling python -c 'import os; os.setuid(0); os.system("/bin/bash")' .

09 - root

Privilege Escalation (Service Cleartext Credentials)

At first I checked all services in the machine and found that Gerapy was running as service (app.service)

image

Then I checked its status to find service path

10 - service path

Then checked that file and found cleartext crendentials

11 - found password

<
Previous Post
Crane - Proving Grounds Practice
>
Next Post
Extplorer - Proving Grounds Practice