PG: Exfiltrated
| ターゲット // Exfiltrated | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Easy |
| IP | 192.168.192.163 |
Enumeration#
Nmap#
▶ Nmap output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Port 80 redirects to exfiltrated.offsec — add it to /etc/hosts before anything else resolves. The site is a Subrion CMS install.
Foothold#
Subrion CMS — Authenticated RCE#
The admin panel at /panel/ accepts the laziest credential pair in the book: admin:admin. Once inside, the dashboard reports Subrion 4.2, which is vulnerable to an authenticated file-upload RCE (EDB-49876) — the uploader’s extension blacklist misses the PHP-executable .pht.
| |
Shell as www-data.
Privilege Escalation#
Root cron + exiftool — CVE-2021-22204#
A pair of files sits in /opt — a script and a metadata directory:
| |
It runs exiftool as root every minute (confirm with pspy) against any .jpg dropped into the Subrion uploads directory. That’s a direct line to CVE-2021-22204 — arbitrary code execution via a malicious DjVu-embedded image.
The naive exiftool "-comment<=payload" injection won’t trigger here — you need the real DjVu exploit. Generate a poisoned image carrying a reverse-shell payload, drop it in /var/www/html/subrion/uploads, and wait for the cron to swallow it.
Root.
Proof#

Key Takeaways#
- Always try trivial credentials (
admin:admin) on CMS panels before pulling out heavier tooling — Subrion handed over the panel for free. pspyis the fastest way to catch root cron jobs that never appear in/etc/crontab— the/optscript here fired every 60 seconds.- Any process feeding attacker-controllable files into a vulnerable
exiftoolis a CVE-2021-22204 privilege escalation. The-commenttrick is a red herring; use the DjVu PoC.