Recent
OFFSEC - Proving Grounds - VANITY
·2106 words·10 mins
OFFSEC PG PRACTICE
RSYNC
NMAP
COMMAND INJECTION
Rsync on 873 shares web application source code, using cmd injection gains initial access. Abuse rsync cronjob with -e option to get root.
OFFSEC - Proving Grounds - POSTFISH
·3193 words·15 mins
OFFSEC PG PRACTICE
SMTP-USER-ENUM
USERNAME_GENERATOR
HYDRA
IMAP
IMAPS
SENDEMAIL
PWNKIT
Website PostFish on port 80 and SMTP on port 25 reveal usernames. Hydra finds credentials, sending an email with a reset link grants brian access. Pwnkit (CVE-2021-4034) escalates to root.
OFFSEC - Proving Grounds - RUSSIANDOLLS
·2291 words·11 mins
OFFSEC PG PRACTICE
PATH TRAVERSAL
NXC
SUDO 1.9.14-17 CVE-2025-32463
On port 8080 the website loads images via local http URLs, found open port 4242 with FILE VIEWER app. Path traversal exposes passwords and allows access via SSH. sudo v1.9.15 exploited for root access using CVE-2025-32463 chroot escalation.
OFFSEC - Proving Grounds - DEVELOP
·4146 words·20 mins
OFFSEC PG PRACTICE
GIT
TCPDUMP
COMMAND INJECTION
IFS
PYTHON WEBSERVER POST
PWNKIT
Access Git repository on port 80 for credentials, login application on port 8080 and use command injection to retrieve a SSH key. Exploit CVE-2021-4034 to become root.
OFFSEC - Proving Grounds - PASSPORT
·2987 words·15 mins
OFFSEC PG PRACTICE
FEROXBUSTER
SSH2JOHN
JOHN
TMUX
Access website on port 80, extract credentials, log into FTP. Crack Luigi’s SSH key and gain initial access. Move laterally to luca and attach to a root tmux session for privilege escalation.
OFFSEC - Proving Grounds - SYBARIS
·1959 words·10 mins
OFFSEC PG PRACTICE
FTP
REDIS
NXC
PWNKIT
FTP on port 21 allows anonymous login and is writable. Redis 5.0.9 on port 6379 is exploitable by uploading a Redis module via FTP and exploit Redis for pablo access, then use pwnkit (CVE-2021-4034) to escalate to root.
OFFSEC - Proving Grounds - DRIBBLE
·2272 words·11 mins
OFFSEC PG PRACTICE
NODE.JS
SUDO BARON SAMEDIT
Web application on port 3000 allows admin access via modified cookie. Exploit Sudo Baron Samedit (CVE-2021-3156) to gain root.
OFFSEC - Proving Grounds - LUNAR
·2959 words·14 mins
OFFSEC PG PRACTICE
STRCMP
LOG POISONING
SHOWMOUNT
NO_ROOT_SQUASH
NFS
Download zip from port 80, exploit PHP for LFI, use log poisoning for RCE as www-data. SSH with liam’s key for lateral movement and escalate to root via NFS no_root_squash.
OFFSEC - Proving Grounds - MARKETING
·2728 words·13 mins
OFFSEC PG PRACTICE
LIMESURVEY
MLOCATE
LimeSurvey 5.3.24 on port 80 has weak credentials, RCE gives www-data access. Find credentials and move laterally to t.miller, use sudo sync.sh to reach m.sander, then sudo to root.
OFFSEC - Proving Grounds - SPLODGE
·2019 words·10 mins
OFFSEC PG PRACTICE
GIT
GIT-DUMPER
PYTHON_VIRTUAL_ENVIRONMENT
PREG_REPLACE
PWNKIT
Git repository on port 80 yields password via git-dumper. Login to admin panel on 8080, exploit preg_replace for initial access. Use pwnkit (CVE-2021-4034) to get root.
OFFSEC - Proving Grounds - SONA
·3001 words·15 mins
OFFSEC PG PRACTICE
NEXUS
SONATYPE
Brute-force NEXUS admin password on port 23. Use credentials on port 8081 and using CVE-2020-10199 gives initial access. move laterally to sona and edit cronjob’s base64.py for root.
OFFSEC - Proving Grounds - AUDIO
·1832 words·9 mins
OFFSEC PG PRACTICE
BURP
Port 80 allows MP3/MPEG uploads. Upload MP3 with .php extension via BURP to get initial access. Find MySQL credentials reused by jason to move laterally. Run /usr/bin/git with sudo to gain root.
OFFSEC - Proving Grounds - ERP
·2403 words·12 mins
OFFSEC PG PRACTICE
WEBERP
INOERP
SSH REMOTE PORT FORWARD
MONITORR
webERP on port 80 with weak credentials. SQL injection (CVE-2019-13292) reveals inoERP application, exploited for www-data access. SSH forwarding to port 8443 uncovers monitorr 1.7.6 which we can exploit for root.
OFFSEC - Proving Grounds - HETEMIT
·2153 words·11 mins
OFFSEC PG PRACTICE
WERKZEUG
SERVICE WRITABLE
Werkzeug/1.0.1 on port 50000 has RCE endpoint, gain initial access as cmeeks. Edit /etc/systemd/system/pythonapp.service and use sudo to reboot the target to escalate to root.
OFFSEC - Proving Grounds - FLIMSY
·1545 words·8 mins
OFFSEC PG PRACTICE
APISIX
APT UPDATE
APT.CONF.D
OpenResty on port 43500 with APISIX/2.8 has RCE vulnerability (CVE-2022-24112). Exploit this and get initial access, write custom script in /etc/apt/apt.conf.d to escalate to root via cronjob.
OFFSEC - Proving Grounds - BANZAI
·2971 words·14 mins
OFFSEC PG PRACTICE
HYDRA
GOBUSTER
MYSQL
MYSQL UDF
GCC
FTP on port 21 with weak credentials holds web dirirectory for port 8295. Upload PHP shell to gain initial access. MySQL UDF exploit sets SUID on bash and allows us to escalates to root.
OFFSEC - Proving Grounds - WHEELS
·1818 words·9 mins
OFFSEC PG PRACTICE
XPATH
HASHCAT
Wheels CarService website on port 80 has XPATH injection vulnerability which leads to gaining credentials for initial access. SUID on a binary with path traversal vulnerability to dump /etc/shadow. Crack hash with hashcat to gain root.
OFFSEC - Proving Grounds - BUNYIP
·3095 words·15 mins
OFFSEC PG PRACTICE
PWNKIT
S3cur3 r3pl application on port 8000 is vulnerable to MD5 length extension, exploiting this gives initial access. Pwnkit (CVE-2021-4034) escalates to root.