Astronaut Proving Grounds Write-Up
SUMMARY
This write-up covers the Astronaut machine from Offsec’s Proving Grounds, a Linux machine where an outdated CMS provided the initial foothold.
Port 80 hosted Grav CMS, vulnerable to a known RCE exploit that abuses arbitrary YAML configuration file reads to achieve remote code execution. After identifying the exploit with searchsploit and configuring the listener, a reverse shell was established as the user gravity.
Privilege escalation was achieved through a SUID PHP binary discovered during post-exploitation enumeration. Following the relevant GTFOBins technique for the PHP SUID binary, a root shell was obtained.
PATH TO FOLLOW
- Reconnaissance & Grav CMS Discovery on Port 80
- RCE Exploit Identification via searchsploit
- Reverse Shell as
gravity - SUID Binary Enumeration — PHP Binary Discovery
- GTFOBins PHP SUID Abuse
- Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.