Codo
Source: Proving Grounds OS: Linux Community Rating: Easy
Enumeration & Reconnaissance
I started with the usual autorecon, which exposed:
SSH (22)
HTTP (80)
Service Analysis
I began with HTTP (80). It displayed a Codoforum page. I played around for a while before checking for a CVE. I found CVE-2022-31854, which provided RCE but required valid credentials. I tried the default credentials (admin:admin) and they worked. I was in to the admin panel!

Gaining Initial Access
I attempted to run the PoC to get a shell back, but that didn't work, so I did it manually.
I created a PHP reverse shell and then opened the admin panel at:
http://192.168.197.23/admin/
Logged in as admin, navigated to Global Settings, and went to "Upload logo for your forum" where I uploaded my PHP shell.

To execute it, I visited:
http://192.168.197.23/sites/default/assets/img/attachments/shell.php
These steps were outlined in the CVE's PoC. I just followed them.
I checked my listener and, sure enough, I got a reverse shell.

I then converted it into a proper tty with the following commands:
SHELL=/bin/bash script -q /dev/null
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo && fg
reset
Ctrl + C
I searched for a flag using
find / -type f \( -name local.txt -o -name proof.txt \) 2>/dev/null
That found nothing. Then I remembered that the machine has only one flag. Time to escalate privileges and search again.
Privilege Escalation
I uploaded linpeas, and it exposed a password in the PHP configuration file at:
/var/www/html/sites/default/config.php

The password found was FatPanda123. I first tried it for the offsec user (since there was an offsec directory in the home directory), but it didn't work there. Then I checked it for root, and it worked. We were in as root, as simple as that.

Lessons Learned
Sometimes a web application's administrative interface can be an effective RCE vector if valid credentials are obtained also make sure to try default credentials.
When a PoC doesn't work. Following the steps provided in the CVE's PoC manually can make it work.
Configuration files often contain sensitive credentials.
Last updated