Proteus writeup

*** Vulnhub Download ***

netdiscover and nmap




Submit binary file


Inject XSS Payload in file



Getting session cookie


Login as admin


RCE in delete function and get reverse shell

the function delete take filename coded in b64.

If we add a command after file name and code all in base64, we can execute command






admin_login_logger has suid bit active.

Execute it:


Try with random input


Ok, if we give in input a long string we can see that we change output filename


With unique pattern we find that after 456 bytes we can replace filename.

But what’s about input? What input written on file?

We can not read file /var/log/proteus/log (where binary write originally), but we can try to download the binary and execute it locally, for reading what it wrote.


HEY this is our input !!

Well done!

Adding arbitrary user with root uid on /etc/passwd file

Generate hash for passwd file with:

python -c ‘import crypt; print crypt.crypt(“knx”, “$6$saltsalt$”)’

Then write complete string in /etc/passwd calculating right length  and offset




Finally the FLAG


ROOT alternative

  1. We can overwrite /etc/crontab and add reverse shell job every minute but this not works because crontab is strict and the binary add not printable chars at hte beninning of the strings
  2. We can try to write our public id_rsa in authorized_keys but its fails because the length of full path of authorized_keys overflow the maximum length that is managed by binary