Hi everyone
Today we are going to look for a Box called CVE-2023-6019 which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration and Exploitation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.126.37
nmap -sC -sV -O -p- -oA nmap/full 192.168.126.37 -T4
I discovered these ports are open:
- 22/tcp – SSH Service running OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
- 80/tcp – HTTP Service running aiohttp 3.9.1 (Python 3.8)
- Some other couple of ports were open
- OS: Linux
Exploitation
I found the exploit which was for Remote Code Execution (RCE) vulnerability in the Ray Dashboard (Ray 2.6.3). The flaw allows attackers to inject malicious commands via the cpu_profile endpoint due to insecure handling of the profile_file_path parameter, providing unauthorized access to the system:
I started the netcat listener:
The above image shows the proof.txt file.
Key Takeaways
- Enumerate everything first — service versions often map directly to CVEs.
- Validate exploits fast — don’t overcomplicate known vulnerabilities.
- Stabilize your shell early — better access means better enumeration.
- Check sudo & privileged binaries — common path to root.
- If root runs something writable, you control execution.
- Privesc is simple — find what runs as root and abuse it.
If you enjoyed this post, share it with your friends and colleagues!