Levram Proving Grounds Write-Up

SUMMARY

This write-up covers the Levram machine from Offensive Security Proving Grounds, a Linux machine where a web scraping framework admin panel led to remote code execution.

Port 8000 hosted Gerapy 0.9.7, accessible with default credentials (admin:admin). The version is vulnerable to CVE-2021-43857, an authenticated RCE exploit that requires an existing project to target. After creating a project through the admin panel and re-running the exploit, a shell was returned as user app.

Privilege escalation was achieved by enumerating Linux capabilities. Python was found to have the cap_setuid=ep capability, allowing any user to change their UID arbitrarily. Calling os.setuid(0) via Python and spawning a shell elevated privileges to root.

---

PATH TO FOLLOW

1. Reconnaissance & Gerapy Discovery on Port 8000
2. Default Credential Login & Version Identification
3. CVE-2021-43857 RCE (Project Creation Required)
4. Shell as app
5. Capability Enumeration — Python cap_setuid
6. Shell as Root via UID Change

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.