Posts

OFFSEC - Proving Grounds - SNOOKUMS

27 July 2025·2363 words·12 mins

OSCP OFFSEC PG PRACTICE MYSQL OPENSSL

PHP Gallery v0.8 has a RFI flaw. Use PHP shell, get michael’s MySQL creds, SSH in, find writable /etc/passwd via linpeas, set root password with OpenSSL and gain root.

OFFSEC - Proving Grounds - QUACKERJACK

22 July 2025·2473 words·12 mins

OSCP OFFSEC PG PRACTICE RCONFIG

rConfig on port 8081 has SQLi leaking admin hash. CrackStation decrypts it for credentials. CVE-2019-19509 grants access. SUID find binary escalates to root.

OFFSEC - Proving Grounds - ASTRONAUT

22 July 2025·1516 words·8 mins

OSCP OFFSEC PG PRACTICE GRAVCMS

SSH with provided credentials or exploit GravCMS on port 80. Use SUID bit on php7.4 binary to escalate to root.

OFFSEC - Proving Grounds - BRATARINA

21 July 2025·1348 words·7 mins

OSCP OFFSEC PG PRACTICE OPENSTMPD

SSH access with OFFSEC credentials or exploit OpenSTMPD on port 25 for remote code execution as root.

OFFSEC - Proving Grounds - PC

20 July 2025·1369 words·7 mins

OSCP OFFSEC PG PRACTICE RPC

SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.

OFFSEC - Proving Grounds - NUKEM

20 July 2025·2005 words·10 mins

OSCP OFFSEC PG PRACTICE WORDPRESS DOSBOX

Access target via SSH or exploit WordPress with wpscan using simple-file-list vuln. Get http user, find commander creds in wp-config.php, use SUID dosbox for root.

OFFSEC - Proving Grounds - APEX

20 July 2025·2786 words·14 mins

OSCP OFFSEC PG PRACTICE OPENEMR MYSQL FILEMANAGER GOBUSTER

Exploit filemanager vuln on port 80 for OpenEMR SQL creds. Login to MySQL, get admin hash for app access. Use app exploit for initial access, reuse password for root escalation.

OFFSEC - Proving Grounds - NIBBLES

19 July 2025·1674 words·8 mins

OSCP OFFSEC PG PRACTICE POSTGRES

PostgreSQL port open, default creds allow login. Command execution (9.3+) runs reverse shell for access. SUID find enables root escalation.

OFFSEC - Proving Grounds - LEVRAM

19 July 2025·1977 words·10 mins

OSCP OFFSEC PG PRACTICE GERAPY

Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.

OFFSEC - Proving Grounds - EXFILTRATED

17 July 2025·2597 words·13 mins

OSCP OFFSEC PG PRACTICE SUBRION CMS PWNKIT EXIFTOOL

SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.

OFFSEC - Proving Grounds - COCKPIT

15 July 2025·1373 words·7 mins

OSCP OFFSEC PG PRACTICE TAR GOBUSTER

SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.

OFFSEC - Proving Grounds - PELICAN

14 July 2025·2071 words·10 mins

OSCP OFFSEC PG PRACTICE GCORE

Exploitable Exhibitor for ZooKeeper on port 8080. Initial access user has gcore sudo privileges, can dump password-store process to reveal root credentials.

OFFSEC - Proving Grounds - ZINO

13 July 2025·2525 words·12 mins

OFFSEC PG PRACTICE NXC SMB SMBCLIENT

Access server with SMB file and use a Python exploit for PHP webshell in Booked Scheduler. Escalate to root via cronjob.