Pelican
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started with autorecon as usual, which revealed a crowded target with several open ports:
SSH (22)
SMB (139 and 445)
CUPS (631)
SSH (2222)
HTTP (8080 and 8081)
There were a lot of services to check, but I ended up getting caught up in the HTTP ports and finished the target before even exploring the other services.
Service Analysis
HTTP Service on Port 8081
I ran my fuzzers and started manual checks.
On port 8081, I discovered an application called Exhibitor for ZooKeeper. After a quick search, I found that this application is vulnerable to CVE-2019-5029.
Gaining Initial Access
With the vulnerability exploited on the application, I secured a basic shell on the target.
Privilege Escalation
After gaining initial access, I ran linpeas.sh and noticed that sudo privileges allowed running gcore without a password. It took some searching to understand what gcore is, gcore generates core dumps of running processes using their process ID.
Now it was clear: if we can dump data from a process holding sensitive data, we can extract valuable information. Running:
ps aux | grep passwordled me straight to a process containing sensitive data. Using gcore to dump the process memory, I was able to read the dumped file and extract the root password.
Lessons Learned
Vulnerable Services: Always check for CVEs for services you encounter; in this case, a known CVE provided us with initial access.
Privilege Escalation: Misconfigured sudo privileges can open the door for privilege escalation. Here, being able to run gcore without a password offered a clever path to escalate privileges by dumping process memory.
Last updated