📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Warm up
  3. Linux

Exfiltrated

Writeup for Exfiltrated from offsec Proving Grounds

PreviousClamAVNextTwiggy

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.142.163 all

Service Enumeration

HTTP (Port 80)

Notice from our initial information gathering there is a robots.txt directory with 7 disallowed directories. Upon navigating to /panel/, we see an admin login page. We also take note that this is Subrion CMS v4.2.1.

Exploit

We can log in using admin:admin to access the dashboard.

SubrionCMS 4.2.1 is vulnerable to Authenticated Remote Code Execution. /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

Privesc

Running LinEnum on the target, we see something interesting.

Notice that there is an unusual file inside the crontab - /opt/image-exif.sh

This script seems to be running exiftool. Apparently improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.

Once we got exploit.jpg on our attack machine, we can upload it to the target machine using wget and python SImpleHTTPServer.

Now we can check /bin/bash and we realize that it has the SUID set, which allows us to run it and get root.

LogoGitHub - h3v0x/CVE-2018-19422-SubrionCMS-RCE: CVE-2018-19422 Authenticated Remote Code ExecutionGitHub
LogoAn Image Speaks a Thousand RCEs: The Tale of Reversing an ExifTool CVEMedium