We are going to exploit one of OffSec Proving Grounds Easy machines which called
Exfiltrated and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.
Port 80 is running
4.2.1as shown in the
- We can login with
admin:adminto the CMS.
Using Searchsploit to look for exploits:
- Running LinPEAS:
As shown in the picture above there’s a cronjob running this script
/opt/image-exif.sh every minute as root, and this is the content of the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 #! /bin/bash #07/06/18 A BASH script to collect EXIF metadata echo -ne "\\n metadata directory cleaned! \\n\\n" IMAGES='/var/www/html/subrion/uploads' META='/opt/metadata' FILE=`openssl rand -hex 5` LOGFILE="$META/$FILE" echo -ne "\\n Processing EXIF metadata now... \\n\\n" ls $IMAGES | grep "jpg" | while read filename; do exiftool "$IMAGES/$filename" >> $LOGFILE done echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
- it runs
exiftoolagainst every jpg file on this directory
/var/www/html/subrion/uploads, let’s exploit that:
I used this script to create the exploit: https://github.com/OneSecCyber/JPEG_RCE .
- Generate a payload:
Inject the payload into a jpg file:
runme.jpgfile to the remote target on
/var/www/html/subrion/uploadsdirectory and wait a minute: