Flu Proving Grounds Write-Up
SUMMARY
This write-up covers the Flu machine from Offsec’s Proving Grounds, a Linux machine exploiting a well-known Confluence vulnerability for initial access.
Port 8090 hosted Confluence 7.13.6, which is vulnerable to CVE-2022-26134, an OGNL template injection leading to unauthenticated RCE. Exploiting this vulnerability delivered a reverse shell as the confluence user.
Privilege escalation was found through process monitoring. A cronjob running as root executed a script that was owned and writable by the confluence user. Injecting a reverse shell payload into the script and waiting for the cron interval delivered a shell as root.
PATH TO FOLLOW
- Reconnaissance & Confluence Version Identification
- CVE-2022-26134 OGNL Injection → Reverse Shell as
confluence - Writable Cronjob Script Discovery
- Reverse Shell Injection → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.