Image Proving Grounds Write-Up
SUMMARY
This write-up covers the Image machine from Offsec’s Proving Grounds, a Linux machine where an image processing service leaked its version and proved vulnerable to command injection.
Port 80 hosted an ImageMagick-powered image upload service. Uploading a file leaked the version as 6.9.6-4, which is known to be vulnerable to command injection via an unsanitized filename. A crafted filename containing a shell command triggered execution, and a reverse shell was received as www-data.
Privilege escalation came from a SUID strace binary found during enumeration. Following the corresponding GTFOBins technique, the SUID context of strace was abused to spawn a root shell.
PATH TO FOLLOW
- Reconnaissance & ImageMagick Service Discovery on Port 80
- Version Leak via File Upload
- Malicious Filename Injection for RCE
- Reverse Shell as
www-data - SUID
straceBinary Discovery - GTFOBins Abuse & Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.