Skip to content

Krovs' Writeups

Exfiltrated

Metadata
- April 3, 2025
- in Proving Grounds, Linux
- 2 min read

Exfiltrated 🔹

Enumeration

Add exfiltrated.offsec to /etc/hosts.

The webserver shows a Kickstart page.

We can log in with admin:admin.

Initial Access

https://github.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-

Privilege Escalation

Get a reverse shell.

There is a script using exiftool that is being executed every minute.

Following this guide, we can generate a malicious jpg: https://ine.com/blog/exiftool-command-injection-cve-2021-22204-exploitation-and-prevention-strategies

Transfer the jpg with the payload to the path of the script and set a listener.

Post Exploitation

Get the flags.