Levram

Source: Proving Grounds OS: Linux Community Rating: Easy

Enumeration & Reconnaissance

  • I started with autorecon as usual, which revealed two open ports on the target:

    • SSH (22)

    • HTTP (8000)

Service Analysis

  • A quick visit to HTTP (8000) exposed a login page for an application named GERAPY.

Gerapy
  • I logged in using the default credentials, admin:admin, and was in.

  • Inside, I noticed there were projects and a file upload option. However, my quick Google search pointed me to a CVE: 2021-43857 that provided remote code execution (RCE) so I didn't explore that much.

Gerapy Dashboard

Gaining Initial Access

  • I attempted to run the PoC immediately, but it failed because it required at least one project to exist.

PoC with no Projects
  • Since I already had access, I created a new project within GERAPY and ran the PoC again. This time, it worked perfectly, and I gained my first shell.

PoC with the project

Privilege Escalation

  • After obtaining initial access, I ran linpeas.sh to scout for further escalation paths. The scan revealed a capability misconfiguration on Python.

Capability Misconfiguration
  • For those who don't know, capabilities allow splitting root privileges into smaller, assignable units. In this case, our user had cap_setuid=ep on /usr/bin/python3.10. I exploited this misconfiguration by executing:

python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'
  • That simple command granted me a root shell in no time.

Privilege Escalation

Lessons Learned

  • Quick Exploitation: Always try default credentials and search for CVEs.

  • Capabilities Abuse: Misconfigured capabilities on executables like Python was the path to root.

Last updated