CTF1
OSCP Proving Grounds Helpdesk Writeup (Linux)
Last updated
Was this helpful?
OSCP Proving Grounds Helpdesk Writeup (Linux)
Last updated
Was this helpful?
nmap --min-rate 3000 -p- 192.168.115.12 -Pn -sV -sC
We Find only two ports open.
Seems to have a folder exposed to us.
It seems like some sort of CMS, though I have no idea what this is.
Lets see if we can find a version number and see if there are any RCE's associated with "Grav".
While doing some research I came across the folowing article which leads me to /admin.
Based on that article I was able to seemingly replicate the POC of the RCE
As a reminder the admin nonce is a hidden field in the form.
So given a 200, i suppose this CMS is vulnerable.
and...
We have a Shell!
After running linpeas we find a few interesting pieces of information
I attempted to priv esc with cron jobs but no luck.
After more recon I discovered a password hash
After spending many hours trying to crack this hash it was pointless.
For some reason I circled back and decided to look for SUID binaries manually, because why not?
So here is my frustration:
ALWAYS CHECK SUID BINARIES MANUALLY.
ALWAYS.
ALWAYS.
ALWAYS.
IDC WHAT YOU SAY. MANUAL.
FML
Anyway here is a link to that:
We notice that /usr/bin/php7.4 this stands out
We find where the binary is: /usr/bin/
And based on GTFOBins we can just run ./php -r "pcntl_exec('/bin/sh', ['-p']);"
im still kind of mad... Linpeas didnt pick it up.
After doing a little bit more research, I found a POC online:
After a little bit of fiddling around I ran the following command. For the Ub3r Lazy :
