Levram
Source: Proving Grounds OS: Linux Community Rating: Easy
Enumeration & Reconnaissance
I started with autorecon as usual, which revealed two open ports on the target:
SSH (22)
HTTP (8000)
Service Analysis
A quick visit to HTTP (8000) exposed a login page for an application named GERAPY.

I logged in using the default credentials, admin:admin, and was in.
Inside, I noticed there were projects and a file upload option. However, my quick Google search pointed me to a CVE: 2021-43857 that provided remote code execution (RCE) so I didn't explore that much.

Gaining Initial Access
I attempted to run the PoC immediately, but it failed because it required at least one project to exist.

Since I already had access, I created a new project within GERAPY and ran the PoC again. This time, it worked perfectly, and I gained my first shell.

Privilege Escalation
After obtaining initial access, I ran linpeas.sh to scout for further escalation paths. The scan revealed a capability misconfiguration on Python.

For those who don't know, capabilities allow splitting root privileges into smaller, assignable units. In this case, our user had cap_setuid=ep on
/usr/bin/python3.10
. I exploited this misconfiguration by executing:
python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'
That simple command granted me a root shell in no time.

Lessons Learned
Quick Exploitation: Always try default credentials and search for CVEs.
Capabilities Abuse: Misconfigured capabilities on executables like Python was the path to root.
Last updated