PG: Astronaut
| ターゲット // Astronaut | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Easy |
| IP | 192.168.155.12 |
Enumeration#
Nmap#
▶ Nmap output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Two ports. SSH is a dead end without creds, so the web server is the way in. The Apache directory listing on port 80 exposes a grav-admin/ folder — a Grav CMS install. robots.txt confirms a stock Grav layout (/user/, /system/, /cache/…).
The version isn’t advertised anywhere, so this is a “take the shot” box — assume it’s old enough to be vulnerable and go looking for a known CVE.
Foothold#
Grav CMS RCE — CVE-2021-21425#
Grav’s Admin plugin is vulnerable to an unauthenticated RCE (CVE-2021-21425). The Metasploit module works, but on this box the callback shell dies within seconds — use the standalone PoC instead (CsEnox/CVE-2021-21425).
The PoC addresses the target by its vhost name, so map astronaut.offsec to the box in /etc/hosts first:
| |
Start a listener, then trigger the exploit with a base64-encoded bash reverse shell to survive quoting issues:
| |
Shell lands as the low-priv web user.
Privilege Escalation#
SUID php7.4 — GTFOBins#
OffSec boxes drown the one useful line in a wall of LinPEAS output, so read it carefully instead of skimming. Buried in the SUID scan is a non-standard entry:

/usr/bin/php7.4 carries the SUID bit. GTFOBins has a one-liner for exactly this — spawn a shell that preserves the elevated privileges:
| |
Root.
Proof#

Key Takeaways#
- When a CMS hides its version, don’t stall — check known CVEs for the product and take the shot. Grav’s Admin plugin (CVE-2021-21425) is a reliable unauth RCE.
- On OffSec boxes, prebuilt Metasploit callbacks often die instantly. Keep a standalone PoC and a manual reverse shell ready.
- Always read the full SUID list — a SUID interpreter (
php,python,perl) is an instant GTFOBins privilege escalation.