Flu
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started with the usual autorecon and discovered three open ports on the target:
SSH (22)
HTTP (8090)
HTTP (8091)
Service Analysis
I began my analysis on port 8090, where I found a login page. I tried a few credentials but nothing worked. After some online digging, I found CVE-2022-26134, which offers code execution.

Gaining Initial Access
The first PoC I tried granted code execution, but my reverse shell attempt failed. I then tested two more PoCs, the second didn’t work either, but the final one succeeded after I had to change the default listening port, as if OffSec wanted to make things a bit trickier.
Once code execution was achieved, I secured my foothold on the system.

Privilege Escalation
After gaining access, I ran linpeas.sh, but it didn’t reveal any obvious privilege escalation vectors.
Running pspy, I noticed that root was executing a log-backup.sh script, a script to which I had write access. I leveraged this script to spawn a reverse shell, which worked perfectly.


Lessons Learned
Persistence with multiple PoCs can pay off when the first attempt fails.
Tools like pspy can uncover hidden escalation paths that aren’t found using linpeas.
Last updated