Difficulty: Easy
Environment Setup#
export IP=192.168.148.12
Service Enumeration#
nmap -T4 -F $IP
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -sC -sV -T4 -Pn -p- -oA full_tcp $IP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-03-17 17:46 grav-admin/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 - HTTP#
Directory listing enabled:


Admin panel at /grav-admin/admin
Default credentials of admin:admin don’t work.
Initial Access#
Not immediately seeing the version, but found an exploit for version 1.10.7 https://www.exploit-db.com/exploits/49973.
I was able to use this script to gain a reverse shell on the target as www-data.

Privilege Escalation#
We don’t have any sudo privileges without the www-data user’s password.
While enumerating for SUID binaries, I found that /usr/bin/php7.4 has SUID enabled, meaning it will run as its owner, root. I referenced gtfobins to try gaining a reverse shell but was unsuccessful. Further, after attempting this, the binary somehow lost its SUID bit.