HEKK

OFFSEC - Proving Grounds - DEPLOYER

18 September 2025·3782 words·18 mins

OFFSEC PG PRACTICE FTP PHP PHP SERIALIZE DOCKER DOCKER BUILD

Anonymous FTP on port 21 gives site config and PHP code. Exploit LFI, drop PHP shell, gain initial access. Upload SSH key, use sudo docker build to get /opt/id_rsa.bak and escalate to root.

OFFSEC - Proving Grounds - CONVERTEX

16 September 2025·2078 words·10 mins

OFFSEC PG PRACTICE XXE SELENIUM CHISEL

XXE in web application on port 5000 and leaks gustavo SSH private key for initial access. Forward selenium port 4444 with chisel, exploit with Python script to gain root.

OFFSEC - Proving Grounds - MZEEAV

14 September 2025·1935 words·10 mins

OFFSEC PG PRACTICE BURP

Web application on port 80 has a ZIP backup with source code. Upload PHP webshell via MZ magic byte check, gain initial access and escalate to root using renamed find binary in /opt/fileS.

OFFSEC - Proving Grounds - PAYDAY

14 September 2025·2438 words·12 mins

OFFSEC PG PRACTICE CS-CART

INTERNETSHOP on port 80 uses CS-CART. Weak credentials allow login and RCE via template editor with PHP webshell. Gain patrick user access via weak credentials and escalate to root using sudo bash.

OFFSEC - Proving Grounds - PEPPO

14 September 2025·1634 words·8 mins

OFFSEC PG PRACTICE IDENT-USER-ENUM RBASH ED PWNKIT

Ident on port 113 reveals process owner eleanor on port 10000. SSH access via weak credentials to get initial access in rbash, escape rbash using ed, set PATH and exploit pwnkit (CVE-2021-4034) to gain root.

OFFSEC - Proving Grounds - ZENPHOTO

14 September 2025·2772 words·14 mins

OFFSEC PG PRACTICE ZENPHOTO RDS

Website on port 80 runs ZENPHOTO 1.4.1.4, vulnerable to RCE exploit, granting www-data access. RDS Protocol LPE (CVE-2010-3904) escalates to root.

OFFSEC - Proving Grounds - SILICON

13 September 2025·1560 words·8 mins

OFFSEC PG PRACTICE SQLMAP

KORTEX ADVOCATED software on port 8000 which has SQLi vulnerability (CVE-2024-7640). Dump and crack hashes for initial access, escalate to root via ruby3.1.

OFFSEC - Proving Grounds - AIR

12 September 2025·2962 words·14 mins

OFFSEC PG PRACTICE ARIA2 WEBUI CHISEL SSH-KEYGEN

Aria2 WebUI on port 8888 is vulnerable to path traversal (CVE-2023-39141). Steal deathflash SSH key for initial access, find RPC key, forward port 6800 with chisel, configure app, upload SSH key to root for root access.

OFFSEC - Proving Grounds - CACTI

12 September 2025·1813 words·9 mins

OFFSEC PG PRACTICE CACTI

Cacti v1.2.28 on port 80 exploited via CVE-2025-24367 for webshell, gaining initial access as www-data. Found credentials in config.php, reused to escalate to root.

OFFSEC - Proving Grounds - HAWAT

10 September 2025·1702 words·8 mins

OFFSEC PG PRACTICE SQL INJECTION

Nextcloud runs on port 50080 with weak credentials and has a ZIP file with SQL-vulnerable application code. Abusing the SQL injection we get initial access as the root user.

OFFSEC - Proving Grounds - EDUCATED

8 September 2025·2704 words·13 mins

OFFSEC PG PRACTICE FREE SCHOOL MANAGEMENT MYSQL APK MOBSF

WISDOM SCHOOL site on port 80 has Gosfem alogin page. RCE gives initial access. Crack msander’s hash, find emiller credentials in APK. Sudo escalates to root via bash.

OFFSEC - Proving Grounds - GRAPH

7 September 2025·2351 words·12 mins

OFFSEC PG PRACTICE GRAPHQL CURL BURP HASHCAT MKPASSWD

On port 80 is a graphql endpoint with SQL injection and gets hashes. Crack one for initial access. Python script with newline injection sets josh password. As josh, read /etc/shadow, crack root’s hash and escalate to root.

OFFSEC - Proving Grounds - PIER

7 September 2025·1332 words·7 mins

OFFSEC PG PRACTICE TORRENTPIER

Torrentpier on port 80 has a insecure object deserialization vulnerability (CVE-2024-1651) for RCE. Gain access as the pier user, use sudo to run bash as root.

OFFSEC - Proving Grounds - SORCERER

7 September 2025·1918 words·10 mins

OFFSEC PG PRACTICE GOBUSTER SSH-KEYGEN SCP

Zipfiles on port 7742 contain users home directories. A found id_rsa key allows scp only. Upload authorized_keys, gain SSH access, and use SUID binary to escalate to root.

OFFSEC - Proving Grounds - CHARLOTTE

6 September 2025·4141 words·20 mins

OFFSEC PG PRACTICE SHOWMOUNT GOBUSTER BURP EJS SSH-KEYGEN

Use credentials or mount shares for application code. Leak creds via nginx (80) using BURP. Exploit RCE as www-data. Deploy JS to abuse a cronjob and move laterally. Escalate to root with sudo/bash.

OFFSEC - Proving Grounds - CLIPPER

6 September 2025·2475 words·12 mins

OFFSEC PG PRACTICE CLIPBUCKETV5 LSOF LDD GCC SETENV LD_LIBRARY_PATH

ClipBucketV5 on port 80 has RCE vulnerability (CVE-2025-21624). Gain initial access and reuse credentials for lateral movement, exploit sudo lsof to set LD_LIBRARY_PATH and create own .so file to escalate to root.

OFFSEC - Proving Grounds - FAIL

5 September 2025·2555 words·12 mins

OFFSEC PG PRACTICE RSYNC FAIL2BAN

Upload SSH key via rsync for initial access. Abuse fail2ban’s actioncheck in iptables-multiport.conf and trigger it by failed SSH logins to escalate to root.

OFFSEC - Proving Grounds - TICO

4 September 2025·2993 words·15 mins

OFFSEC PG PRACTICE NODEBB BURP

Use OFFSEC SSH credentials for initial access or exploit NodeBB on 8080 (CVE-2020-15149) for admin access. Write SSH key to root’s authorized_keys to escalate to root.

HEKK

Own The Grind

Recent