📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • HTTP (Port 8000)
  • Exploit

Was this helpful?

  1. Proving Grounds practice
  2. Warm up
  3. Linux

Twiggy

Writeup for Twiggy from offsec Proving Grounds

PreviousExfiltratedNextGet to work

Last updated 3 years ago

Was this helpful?

Information Gathering

Service Enumeration

sudo ./nmapAutomator.sh 192.168.63.62 all

HTTP (Port 80)

Mezzanine CMS running.

HTTP (Port 8000)

Doesn't look like anything useful.

But when we look at the response in burp, we see something interesting.

Looks like this is running salt-api/3000-1.

Exploit

A quick google search and we find that Saltstack 3000.1 is vulnerable to authentication bypass/remote code execution.

However, the script isn't working well and I found a better script.

Nice, looks like it is vulnerable.

Hmm...That didn't work, maybe this machine doesn't have nc.

Seems like our new payload works and since we are root, there's no need for privesc!

LogoSaltstack 3000.1 - Remote Code ExecutionExploit Database
LogoGitHub - jasperla/CVE-2020-11651-poc: PoC exploit of CVE-2020-11651 and CVE-2020-11652GitHub