Astronaut
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Intermediate
I started with autorecon as usual, which revealed two open ports on the target:
SSH (22)
HTTP (80)
Browsing to the HTTP service led me to a Grav CMS admin interface (grav-admin).
I checked the robots.txt file, which listed multiple directories, but after checking them all, they led nowhere.
I also discovered a login page for the admin. However, default credentials didn’t work, and I noticed that accounts lock after several failed attempts, so bruteforcing wasn’t an option.
After some research, I found multiple CVEs for Grav. One of which allowed for remote code execution (RCE). I found a PoC and tried it.
Initially, my attempts failed when I included a trailing “/” at the end of the target URL. Once I removed the trailing slash, the exploit worked. For instance, while this command:
didn’t work, this one did the trick:
This allowed me to get a reverse shell on the target.
Once I had shell access, I ran linpeas.sh to identify further avenues for privilege escalation.
The scan revealed a cron job that executed every minute, running a PHP script. I attempted to inject into this PHP script, but soon realized the file was owned by www-data, meaning the shell remained at the same privilege level.
Continuing my search, I ran to look for SUID binaries:
This command revealed that PHP itself had the SUID bit set. Checking gtfobins provided me with the code required to exploit this. I then executed the command to escalate privileges to root:
Exploit Error: A subtle difference in the target URL (with or without a trailing slash) can make or break an exploit.
SUID Misconfiguration: Misconfigured SUID permissions on PHP was the way for privilege escalation.
