Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

00 - nmap

Web Enumeration

Website was Jorani 1.0.0.

01 - jorani

I checked Jorani default credentials and found bbalet:bbalet.

02 - default

Later, I tried it and it worked. I logged in.

03 - logged in

Exploitation

CVE-2023-26469

In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

I then searched for Jorani 1.0.0 exploits and found this CVE which allows us to RCE. I also found this script https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py

04 - exploit

Executed it and got user shell.

05 - shell

Then calling bash reverse shell while listening with nc, I obtained upgraded shell. Then I simply read user flag.

06 - nc

07 - local

Privilege Escalation

NOPASSWD env

All I had to do was check sudo -l and found out NOPASSWD env. Later I executed sudo env /bin/bash to obtain root shell.

08 - root

<
Previous Post
BitForge - Proving Grounds Practice
>
Next Post
vmdak - Proving Grounds Practice