search

Levram

Source: Proving Grounds OS: Linux Community Rating: Easy

hashtag
Enumeration & Reconnaissance

  • I started with autorecon as usual, which revealed two open ports on the target:

    • SSH (22)

    • HTTP (8000)

hashtag
Service Analysis

  • A quick visit to HTTP (8000) exposed a login page for an application named GERAPY.

Gerapy

  • I logged in using the default credentials, admin:admin, and was in.

  • Inside, I noticed there were projects and a file upload option. However, my quick Google search pointed me to a CVE: 2021-43857 that provided remote code execution (RCE) so I didn't explore that much.

Gerapy Dashboard

hashtag
Gaining Initial Access

  • I attempted to run the PoC immediately, but it failed because it required at least one project to exist.

PoC with no Projects

  • Since I already had access, I created a new project within GERAPY and ran the PoC again. This time, it worked perfectly, and I gained my first shell.

PoC with the project

hashtag
Privilege Escalation

  • After obtaining initial access, I ran linpeas.sh to scout for further escalation paths. The scan revealed a capability misconfiguration on Python.

Capability Misconfiguration

  • For those who don't know, capabilities allow splitting root privileges into smaller, assignable units. In this case, our user had cap_setuid=ep on /usr/bin/python3.10. I exploited this misconfiguration by executing:

  • That simple command granted me a root shell in no time.

Privilege Escalation

hashtag
Lessons Learned

  • Quick Exploitation: Always try default credentials and search for CVEs.

  • Capabilities Abuse: Misconfigured capabilities on executables like Python was the path to root.

PreviousCockpitNextExtplorer

Last updated