Exfiltrated
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Intermediate
I started off with autorecon, which revealed two open ports on the target:
SSH (22)
HTTP (80)
After examining the HTTP service, the hostname http://exfiltrated.offsec appeared, so I updated my /etc/hosts to properly resolve it.
I checked for the robots.txt and that easy, it unveiled several hidden directories. One of these directories led me to an admin login page for Subrion CMS v4.2.1.
A quick web search confirmed that this version is affected by CVE-2018-19422. However, to take advantage of this vulnerability, valid credentials were necessary. I tried the default combination admin:admin, and it worked!
I obtained a shell, though it was quite terrible, pretty much a basic, non-interactive shell. My attempts to upgrade it to a fully interactive TTY shell were unsuccessful until I tried a Perl one-liner. Running the following command finally gave me a usable shell (The shell was generated using revshells.com):
Once I had a reliable shell, I ran linpeas.sh to scout for further vulnerabilities. The scan pointed out that the target was vulnerable to CVE-2021-4034, the notorious Polkit exploit that had given me so much trouble on the previous machine. I didn't want to try this route again.
I checked the cron jobs and was pleased to discover one scheduled to run every minute. The cron job executed a script that used exiftool on uploaded files, appending the data to the logs.
A bit of online research revealed that exiftool is vulnerable to CVE-2021-22204. I found a github PoC that created the payload, I crafted the payload image to exploit this vulnerability, moved it to the target, and waited for the cron job to pick it up. When the cron job executed my payload, I obtained root access.
Hidden Directories: A simple robots.txt file can uncover critical hidden paths.
Default Credentials: Sometimes, the most obvious username and password (admin:admin) can be all it takes to exploit a vulnerability.
Cron Job Exploitation: The insecure cron job the path to root.