OSCP
OFFSEC - Proving Grounds - LAW
·1637 words·8 mins
OSCP
OFFSEC PG PRACTICE
PSPY
Exploit CVE-2022-35914 on htmLawed 1.2.5 (port 80) with curl for RCE, get www-data shell. Pspy finds root script owned by www-data, run every minute. Add reverse shell, wait for root shell.
OFFSEC - Proving Grounds - ASTRONAUT
·1516 words·8 mins
OSCP
OFFSEC PG PRACTICE
GRAVCMS
SSH with provided credentials or exploit GravCMS on port 80. Use SUID bit on php7.4 binary to escalate to root.
OFFSEC - Proving Grounds - PC
·1369 words·7 mins
OSCP
OFFSEC PG PRACTICE
RPC
SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.
OFFSEC - Proving Grounds - LEVRAM
·1977 words·10 mins
OSCP
OFFSEC PG PRACTICE
GERAPY
Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.
OFFSEC - Proving Grounds - EXFILTRATED
·2597 words·13 mins
OSCP
OFFSEC PG PRACTICE
SUBRION CMS
PWNKIT
EXIFTOOL
SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.
OFFSEC - Proving Grounds - COCKPIT
·1373 words·7 mins
OSCP
OFFSEC PG PRACTICE
TAR
GOBUSTER
SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.
OFFSEC - Proving Grounds - PELICAN
·2071 words·10 mins
OSCP
OFFSEC PG PRACTICE
GCORE
Exploitable Exhibitor for ZooKeeper on port 8080. Initial access user has gcore sudo privileges, can dump password-store process to reveal root credentials.