Exfiltrated Proving Grounds Write-Up
SUMMARY
This write-up covers the Exfiltrated machine from Offsec’s Proving Grounds, a Linux machine combining a CMS file upload with an exiftool-based privilege escalation.
Port 80 hosted a Subrion CMS 4.2.1 instance. Default credentials (admin:admin) granted access to the admin panel. A searchsploit exploit for this version uploaded a malicious PHP file, confirming command execution. A reverse shell was received as the web user.
Privilege escalation was found via process monitoring: a root cronjob ran a script that processed uploaded images with exiftool. A public exploit for a vulnerable exiftool version creates a malicious JPEG file that executes arbitrary commands when parsed. The crafted image was placed in the target directory, and waiting for the cronjob delivered a root shell.
PATH TO FOLLOW
- Reconnaissance & Subrion CMS Discovery
- Default Credential Login → PHP Upload via Searchsploit Exploit
- Reverse Shell as Web User
- Root Cronjob Discovery → exiftool Usage Identification
- Malicious JPEG Payload → Cronjob Execution → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.