Flu

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started with the usual autorecon and discovered three open ports on the target:

    • SSH (22)

    • HTTP (8090)

    • HTTP (8091)

Service Analysis

  • I began my analysis on port 8090, where I found a login page. I tried a few credentials but nothing worked. After some online digging, I found CVE-2022-26134, which offers code execution.

The Login Page

Gaining Initial Access

  • The first PoC I tried granted code execution, but my reverse shell attempt failed. I then tested two more PoCs, the second didn’t work either, but the final one succeeded after I had to change the default listening port, as if OffSec wanted to make things a bit trickier.

  • Once code execution was achieved, I secured my foothold on the system.

Initial Access

Privilege Escalation

  • After gaining access, I ran linpeas.sh, but it didn’t reveal any obvious privilege escalation vectors.

  • Running pspy, I noticed that root was executing a log-backup.sh script, a script to which I had write access. I leveraged this script to spawn a reverse shell, which worked perfectly.

Pspy Output
Root Access

Lessons Learned

  • Persistence with multiple PoCs can pay off when the first attempt fails.

  • Tools like pspy can uncover hidden escalation paths that aren’t found using linpeas.

Last updated