pc
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Intermediate
I ran autorecon as usual and discovered two open ports on the target:
SSH (22)
HTTP (8000)
Checking HTTP (8000) revealed a built-in terminal that allowed direct interaction with the system as a regular user.
This meant that initial access was already in place, we just needed to focus on privilege escalation (which explains why there was only a root flag).
Since the terminal on port 8000 already granted user-level access, I didn’t have to worry about exploiting an initial vulnerability. My starting point was already set.
While exploring the file system, I noticed a snap folder containing lxd and ttyd. LXD is an open-source solution for managing virtual machines and containers, its misconfigurations can sometimes be exploited for privilege escalation. I tried a few angles there, but I wasn’t in the lxc or lxd group, so that approach hit a dead end.
Running linpeas.sh, I discovered that root was running a Python script located at /opt/rpc.py. I attempted to write to this file directly, but my permissions were insufficient.
After some online research, I found that there is a CVE associated with rpc.py that allows privilege escalation. I first tried the PoC available on Exploit-DB, but it didn't work. Then I found another PoC on GitHub that worked perfectly, using it, I was able to escalate my privileges and obtain a root shell!
Side note: linpeas.sh also revealed another port that autorecon/nmap didn’t pick up. This serves as a reminder to always double-check all open ports, as they might offer alternative attack vectors if the primary approach fails.
Check for CVEs: The rpc.py vulnerability (CVE) provided a privilege escalation path.
Verify all open ports: Linpeas revealed an undiscovered port, highlighting the need for thorough checks.
