Pelican

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started with autorecon as usual, which revealed a crowded target with several open ports:

    • SSH (22)

    • SMB (139 and 445)

    • CUPS (631)

    • SSH (2222)

    • HTTP (8080 and 8081)

  • There were a lot of services to check, but I ended up getting caught up in the HTTP ports and finished the target before even exploring the other services.

Service Analysis

HTTP Service on Port 8081

  • I ran my fuzzers and started manual checks.

  • On port 8081, I discovered an application called Exhibitor for ZooKeeper. After a quick search, I found that this application is vulnerable to CVE-2019-5029.

Exhibitor Application

I failed multiple times while trying to get a proper TTY shell, each time, I had to revert the target because the exploit wouldn’t work without a fresh start.

Gaining Initial Access

  • With the vulnerability exploited on the application, I secured a basic shell on the target.

CVE-2019-5029 Exploit

Privilege Escalation

  • After gaining initial access, I ran linpeas.sh and noticed that sudo privileges allowed running gcore without a password. It took some searching to understand what gcore is, gcore generates core dumps of running processes using their process ID.

Sudo -l Output
  • Now it was clear: if we can dump data from a process holding sensitive data, we can extract valuable information. Running: ps aux | grep password

  • led me straight to a process containing sensitive data. Using gcore to dump the process memory, I was able to read the dumped file and extract the root password.

Privilege Escalation
Root Password

Lessons Learned

  • Vulnerable Services: Always check for CVEs for services you encounter; in this case, a known CVE provided us with initial access.

  • Privilege Escalation: Misconfigured sudo privileges can open the door for privilege escalation. Here, being able to run gcore without a password offered a clever path to escalate privileges by dumping process memory.

Last updated