Skip to main content

OSCP

OFFSEC - Proving Grounds - RUBYDOME
·1773 words·9 mins
OSCP OFFSEC PG PRACTICE PDFKIT
Access target via SSH or exploit CVE-2022-25765 on port 3000. Gain initial access as the andrew user, escalate to root via sudo ruby script.
OFFSEC - Proving Grounds - PYLOADER
·1286 words·7 mins
OSCP OFFSEC PG PRACTICE PYLOAD
Exploit CVE-2023-0297 on pyload (port 9666) via unauthenticated RCE to gain root access.
OFFSEC - Proving Grounds - BITFORGE
·4120 words·20 mins
OSCP OFFSEC PG PRACTICE SIMPLE ONLINE PLANNING GIT GIT-DUMPER MYSQL PSPY FLASK
Git on port 80 leaks MySQL credentials. RCE in Simple Planning v1.52.01 for initial access, with pspy64 find jack’s credentials and changing flask script escalates to root.
OFFSEC - Proving Grounds - BOOLEAN
·2045 words·10 mins
OSCP OFFSEC PG PRACTICE SSH-KEYGEN BURP
Login screen can be bypassed via register JSON tweak and provides access remi’s .ssh directory. Upload our own SSH key for initial access and get root’s private key for privilege escalation.
OFFSEC - Proving Grounds - LAVITA
·2978 words·14 mins
OSCP OFFSEC PG PRACTICE LARAVEL
SSH in or exploit Laravel 8.4.0 with APP_DEBUG is set to true to gain www-data access. Abuse skunk’s script to escalate to skunk and use sudo /usr/bin/composer to edit composer.json to escalate privileges.
OFFSEC - Proving Grounds - PLUM
·1456 words·7 mins
OSCP OFFSEC PG PRACTICE PLUXML
PluXml on port 80 uses weak credentials. Edit page to add PHP reverse shell for initial access. Find root password in /var/mail/www-data.
OFFSEC - Proving Grounds - VMDAK
·3176 words·15 mins
OSCP OFFSEC PG PRACTICE PRISON MANAGEMENT SYSTEM MYSQL CHISEL JENKINS BURP
Prison management system on port 9443 vulnerable to SQL injection & RCE once initial access got MySQL creds and SSH in. Using port forward on 8080 we can exploit Jenkins (CVE-2024-23897) for root.
OFFSEC - Proving Grounds - SPX
·2018 words·10 mins
OSCP OFFSEC PG PRACTICE TINY FILE MANAGER MAKE
Tiny File Manager 2.5.3 on port 80; Exploiting CVE-2024-42007 and uploaded PHP reverse shell gives initial access, making own Makefile to set SUID on /bin/bash escalates our privileges
OFFSEC - Proving Grounds - IMAGE
·1245 words·6 mins
OSCP OFFSEC PG PRACTICE IMAGEMAGICK
ImageMagick 6.9.6-4 on port 80 exploited for initial access. SUID on the strace binary leads to root privilege escalation.
OFFSEC - Proving Grounds - BLACKGATE
·1478 words·7 mins
OSCP OFFSEC PG PRACTICE REDIS PWNKIT
Redis 4.0.14 on port 6379 exploited for initial access. linpeas.sh reveals pwnkit vulnerability (CVE-2021-4034) which leads to privilege escalation.
OFFSEC - Proving Grounds - ZIPPER
·1811 words·9 mins
OSCP OFFSEC PG PRACTICE PHPWRAPPER PSPY
Zipper website on port 80 allows file uploads. Use ZIP PHP wrapper for initial access and escalate to root via /opt/backup.sh script.
OFFSEC - Proving Grounds - OCHIMA
·1818 words·9 mins
OSCP OFFSEC PG PRACTICE MALTRAIL PSPY
Maltrail 0.52 on port 8338 allows unauthenticated RCE, granting initial access. Exploit /var/backups/etc_Backup.sh as it’s run by root every minute, to escalate to root privileges.
OFFSEC - Proving Grounds - WORKAHOLIC
·2806 words·14 mins
OSCP OFFSEC PG PRACTICE WPPROBE SQLMAP HASHCAT FTP STRACE GCC
Use OFFSEC creds or scan Wordpress. Exploit a Wordpress vulnerability (CVE-2024-9796), crack hashes for charlie/ted. FTP as ted and SSH in as charlie. Escalate to root via SUID binary with custom shared object.
OFFSEC - Proving Grounds - TWIGGY
·1213 words·6 mins
OSCP OFFSEC PG PRACTICE PYTHON VENV SALTSTACK
SaltStack on port 8000 is vulnerable for CVE-2020-11651 & CVE-2020-11652 RCE exploit, enabling root reverse shell access.
OFFSEC - Proving Grounds - SCRUTINY
·2638 words·13 mins
OSCP OFFSEC PG PRACTICE VHOST JOHN SSH2JOHN TEAMCITY
Initial access via OFFSEC credentials or TeamCity CVE-2024-27198 exploit, get id_rsa key for marcot and password of multiple users. Briand runs /usr/bin/systemctl as root, escalate to root using GTFOBins.
OFFSEC - Proving Grounds - PRESS
·1470 words·7 mins
OSCP OFFSEC PG PRACTICE MAGIC BYTE
FlatPress on port 8089 allows login with weak credentials, PHP reverse shell upload via GIF magic byte, and privilege escalation to root using sudo apt-get.
OFFSEC - Proving Grounds - FLU
·2194 words·11 mins
OSCP OFFSEC PG PRACTICE CONFLUENCE PSPY
Atlassian Confluence 7.13.6 on port 8090 has CVE-2022-26134 exploit for initial access. Add reverse shell to script for root privileges.
OFFSEC - Proving Grounds - EXTPLORER
·2184 words·11 mins
OSCP OFFSEC PG PRACTICE EXTPLORER HASHCAT GROUP DISK
eXtplorer application on port 80 with weak credentials which allows PHP reverse shell. As www-data, we can’t read local.txt. Crack dora’s hash, switch to dora in disk group, read proof.txt.
OFFSEC - Proving Grounds - CLUE
·2656 words·13 mins
OSCP OFFSEC PG PRACTICE CASSANDRA WEB FREESWITCH
Remote file read on Cassandra Web (port 3000) exposes cassie credentials. RCE via FreeSwitch (8021). As cassie, run cassandra-web as root, get a RSA key and login as root.
OFFSEC - Proving Grounds - HUB
·1491 words·7 mins
OSCP OFFSEC PG PRACTICE FUGUHUB
FuguHub 8.4 on port 8082 is vulnerable to RCE exploit (CVE-2024-27697), granting direct root access.
OFFSEC - Proving Grounds - FIRED
·1665 words·8 mins
OSCP OFFSEC PG PRACTICE OPENFIRE
OpenFire 4.7.3 on port 9090 is vulnerable to CVE-2023-32315. Exploit and upload a .jar plugin for RCE. Root password found in script file to escalate privileges.
OFFSEC - Proving Grounds - CRANE
·1533 words·8 mins
OSCP OFFSEC PG PRACTICE SUITECRM
SuiteCRM on port 80 has weak admin:admin credentials. Use CVE-2022–23940 for RCE, then escalate to root via sudo /usr/sbin/service
OFFSEC - Proving Grounds - CODO
·1433 words·7 mins
OSCP OFFSEC PG PRACTICE CODOFORUM GOBUSTER
Codoforum on port 80 uses weak credentials. Exploit CVE-2022-31854 to upload malicious PHP logo, gain initial access and find root password in /var/www/html.
OFFSEC - Proving Grounds - JORDAK
·1584 words·8 mins
OSCP OFFSEC PG PRACTICE JORANI
Jorani v1.0.0 on port 80 vulnerable to CVE-2023-26469, allows path traversal and code execution. User jordak has sudo access to /usr/bin/env, enabling root privilege escalation.
OFFSEC - Proving Grounds - LAW
·1640 words·8 mins
OSCP OFFSEC PG PRACTICE PSPY
Exploit CVE-2022-35914 on htmLawed 1.2.5 (port 80) with curl for RCE, get www-data shell. Pspy finds root script owned by www-data, run every minute. Add reverse shell, wait for root shell.
OFFSEC - Proving Grounds - ASTRONAUT
·1519 words·8 mins
OSCP OFFSEC PG PRACTICE GRAVCMS
SSH with provided credentials or exploit GravCMS on port 80. Use SUID bit on php7.4 binary to escalate to root.
OFFSEC - Proving Grounds - PC
·1370 words·7 mins
OSCP OFFSEC PG PRACTICE RPC
SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.
OFFSEC - Proving Grounds - LEVRAM
·1982 words·10 mins
OSCP OFFSEC PG PRACTICE GERAPY
Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.
OFFSEC - Proving Grounds - EXFILTRATED
·2598 words·13 mins
OSCP OFFSEC PG PRACTICE SUBRION CMS PWNKIT EXIFTOOL
SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.
OFFSEC - Proving Grounds - COCKPIT
·1370 words·7 mins
OSCP OFFSEC PG PRACTICE TAR GOBUSTER
SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.
OFFSEC - Proving Grounds - PELICAN
·2073 words·10 mins
OSCP OFFSEC PG PRACTICE GCORE
Exploitable Exhibitor for ZooKeeper on port 8080. Initial access user has gcore sudo privileges, can dump password-store process to reveal root credentials.