Skip to main content
Author

HEKK

Never settle on digital disruption

Recent

OFFSEC - Proving Grounds - SNOOKUMS
·2363 words·12 mins
OSCP OFFSEC PG PRACTICE MYSQL OPENSSL
PHP Gallery v0.8 has a RFI flaw. Use PHP shell, get michael’s MySQL creds, SSH in, find writable /etc/passwd via linpeas, set root password with OpenSSL and gain root.
OFFSEC - Proving Grounds - ASTRONAUT
·1516 words·8 mins
OSCP OFFSEC PG PRACTICE GRAVCMS
SSH with provided credentials or exploit GravCMS on port 80. Use SUID bit on php7.4 binary to escalate to root.
OFFSEC - Proving Grounds - QUACKERJACK
·2473 words·12 mins
OSCP OFFSEC PG PRACTICE RCONFIG
rConfig on port 8081 has SQLi leaking admin hash. CrackStation decrypts it for credentials. CVE-2019-19509 grants access. SUID find binary escalates to root.
OFFSEC - Proving Grounds - BRATARINA
·1348 words·7 mins
OSCP OFFSEC PG PRACTICE OPENSTMPD
SSH access with OFFSEC credentials or exploit OpenSTMPD on port 25 for remote code execution as root.
OFFSEC - Proving Grounds - APEX
·2786 words·14 mins
OSCP OFFSEC PG PRACTICE OPENEMR MYSQL FILEMANAGER GOBUSTER
Exploit filemanager vuln on port 80 for OpenEMR SQL creds. Login to MySQL, get admin hash for app access. Use app exploit for initial access, reuse password for root escalation.
OFFSEC - Proving Grounds - NUKEM
·2005 words·10 mins
OSCP OFFSEC PG PRACTICE WORDPRESS DOSBOX
Access target via SSH or exploit WordPress with wpscan using simple-file-list vuln. Get http user, find commander creds in wp-config.php, use SUID dosbox for root.
OFFSEC - Proving Grounds - PC
·1369 words·7 mins
OSCP OFFSEC PG PRACTICE RPC
SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.
OFFSEC - Proving Grounds - LEVRAM
·1977 words·10 mins
OSCP OFFSEC PG PRACTICE GERAPY
Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.
OFFSEC - Proving Grounds - NIBBLES
·1674 words·8 mins
OSCP OFFSEC PG PRACTICE POSTGRES
PostgreSQL port open, default creds allow login. Command execution (9.3+) runs reverse shell for access. SUID find enables root escalation.
OFFSEC - Proving Grounds - EXFILTRATED
·2597 words·13 mins
OSCP OFFSEC PG PRACTICE SUBRION CMS PWNKIT EXIFTOOL
SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.
OFFSEC - Proving Grounds - COCKPIT
·1373 words·7 mins
OSCP OFFSEC PG PRACTICE TAR GOBUSTER
SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.
OFFSEC - Proving Grounds - PELICAN
·2071 words·10 mins
OSCP OFFSEC PG PRACTICE GCORE
Exploitable Exhibitor for ZooKeeper on port 8080. Initial access user has gcore sudo privileges, can dump password-store process to reveal root credentials.