Posts
2025
OFFSEC - Proving Grounds - DEPLOYER
·3782 words·18 mins
OFFSEC PG PRACTICE
FTP
PHP
PHP SERIALIZE
DOCKER
DOCKER BUILD
Anonymous FTP on port 21 gives site config and PHP code. Exploit LFI, drop PHP shell, gain initial access. Upload SSH key, use sudo docker build to get /opt/id_rsa.bak and escalate to root.
OFFSEC - Proving Grounds - CONVERTEX
·2078 words·10 mins
OFFSEC PG PRACTICE
XXE
SELENIUM
CHISEL
XXE in web application on port 5000 and leaks gustavo SSH private key for initial access. Forward selenium port 4444 with chisel, exploit with Python script to gain root.
OFFSEC - Proving Grounds - ZENPHOTO
·2772 words·14 mins
OFFSEC PG PRACTICE
ZENPHOTO
RDS
Website on port 80 runs ZENPHOTO 1.4.1.4, vulnerable to RCE exploit, granting www-data access. RDS Protocol LPE (CVE-2010-3904) escalates to root.
OFFSEC - Proving Grounds - PEPPO
·1634 words·8 mins
OFFSEC PG PRACTICE
IDENT-USER-ENUM
RBASH
ED
PWNKIT
Ident on port 113 reveals process owner eleanor on port 10000. SSH access via weak credentials to get initial access in rbash, escape rbash using ed, set PATH and exploit pwnkit (CVE-2021-4034) to gain root.
OFFSEC - Proving Grounds - PAYDAY
·2438 words·12 mins
OFFSEC PG PRACTICE
CS-CART
INTERNETSHOP on port 80 uses CS-CART. Weak credentials allow login and RCE via template editor with PHP webshell. Gain patrick user access via weak credentials and escalate to root using sudo bash.
OFFSEC - Proving Grounds - MZEEAV
·1935 words·10 mins
OFFSEC PG PRACTICE
BURP
Web application on port 80 has a ZIP backup with source code. Upload PHP webshell via MZ magic byte check, gain initial access and escalate to root using renamed find binary in /opt/fileS.
OFFSEC - Proving Grounds - SILICON
·1560 words·8 mins
OFFSEC PG PRACTICE
SQLMAP
KORTEX ADVOCATED software on port 8000 which has SQLi vulnerability (CVE-2024-7640). Dump and crack hashes for initial access, escalate to root via ruby3.1.
OFFSEC - Proving Grounds - CACTI
·1813 words·9 mins
OFFSEC PG PRACTICE
CACTI
Cacti v1.2.28 on port 80 exploited via CVE-2025-24367 for webshell, gaining initial access as www-data. Found credentials in config.php, reused to escalate to root.
OFFSEC - Proving Grounds - AIR
·2962 words·14 mins
OFFSEC PG PRACTICE
ARIA2 WEBUI
CHISEL
SSH-KEYGEN
Aria2 WebUI on port 8888 is vulnerable to path traversal (CVE-2023-39141). Steal deathflash SSH key for initial access, find RPC key, forward port 6800 with chisel, configure app, upload SSH key to root for root access.
OFFSEC - Proving Grounds - HAWAT
·1702 words·8 mins
OFFSEC PG PRACTICE
SQL INJECTION
Nextcloud runs on port 50080 with weak credentials and has a ZIP file with SQL-vulnerable application code. Abusing the SQL injection we get initial access as the root user.
OFFSEC - Proving Grounds - EDUCATED
·2704 words·13 mins
OFFSEC PG PRACTICE
FREE SCHOOL MANAGEMENT
MYSQL
APK
MOBSF
WISDOM SCHOOL site on port 80 has Gosfem alogin page. RCE gives initial access. Crack msander’s hash, find emiller credentials in APK. Sudo escalates to root via bash.
OFFSEC - Proving Grounds - SORCERER
·1918 words·10 mins
OFFSEC PG PRACTICE
GOBUSTER
SSH-KEYGEN
SCP
Zipfiles on port 7742 contain users home directories. A found id_rsa key allows scp only. Upload authorized_keys, gain SSH access, and use SUID binary to escalate to root.
OFFSEC - Proving Grounds - PIER
·1332 words·7 mins
OFFSEC PG PRACTICE
TORRENTPIER
Torrentpier on port 80 has a insecure object deserialization vulnerability (CVE-2024-1651) for RCE. Gain access as the pier user, use sudo to run bash as root.
OFFSEC - Proving Grounds - GRAPH
·2351 words·12 mins
OFFSEC PG PRACTICE
GRAPHQL
CURL
BURP
HASHCAT
MKPASSWD
On port 80 is a graphql endpoint with SQL injection and gets hashes. Crack one for initial access. Python script with newline injection sets josh password. As josh, read /etc/shadow, crack root’s hash and escalate to root.
OFFSEC - Proving Grounds - CLIPPER
·2475 words·12 mins
OFFSEC PG PRACTICE
CLIPBUCKETV5
LSOF
LDD
GCC
SETENV
LD_LIBRARY_PATH
ClipBucketV5 on port 80 has RCE vulnerability (CVE-2025-21624). Gain initial access and reuse credentials for lateral movement, exploit sudo lsof to set LD_LIBRARY_PATH and create own .so file to escalate to root.
OFFSEC - Proving Grounds - CHARLOTTE
·4141 words·20 mins
OFFSEC PG PRACTICE
SHOWMOUNT
GOBUSTER
BURP
EJS
SSH-KEYGEN
Use credentials or mount shares for application code. Leak creds via nginx (80) using BURP. Exploit RCE as www-data. Deploy JS to abuse a cronjob and move laterally. Escalate to root with sudo/bash.
OFFSEC - Proving Grounds - FAIL
·2555 words·12 mins
OFFSEC PG PRACTICE
RSYNC
FAIL2BAN
Upload SSH key via rsync for initial access. Abuse fail2ban’s actioncheck in iptables-multiport.conf and trigger it by failed SSH logins to escalate to root.
OFFSEC - Proving Grounds - TICO
·2993 words·15 mins
OFFSEC PG PRACTICE
NODEBB
BURP
Use OFFSEC SSH credentials for initial access or exploit NodeBB on 8080 (CVE-2020-15149) for admin access. Write SSH key to root’s authorized_keys to escalate to root.
OFFSEC - Proving Grounds - PHOBOS
·2992 words·15 mins
OFFSEC PG PRACTICE
GOBUSTER
SVN
BURP
PWNKIT
MONGODB
PYMONGO
Find svn directory on port 80, enumerate logs for hostname. Register user and exploit code for LFI/RCE and initial access, use pwnkit (CVE-2021-4034) or crack root SHA-512 from MongoDB to escalate to root.
OFFSEC - Proving Grounds - SHIFTDEL
·3543 words·17 mins
OFFSEC PG PRACTICE
WORDPRESS
PHPMYADMIN
Access via provided credentials or exploit WordPress 4.9.6 (CVE-2019-17671) for a password. Delete .htaccess, and get credentials, use phpMyAdmin RCE (CVE-2018-12613) for initial access and exploit command misconfiguration to get root.
OFFSEC - Proving Grounds - HUGS
·2377 words·12 mins
OFFSEC PG PRACTICE
HUGEGRAPH
ENV_KEEP
SSH with provided creds or exploit HugeGraph 1.2.0 (CVE-2024-27348) on 8080 for initial acces. Get mesbaha credentials from rest-server.properties file and SSH laterally, exploit sudo /home/mesbaha/reporter.sh to root.
OFFSEC - Proving Grounds - MANTIS
·3303 words·16 mins
OFFSEC PG PRACTICE
GOBUSTER
MANTISBT
MYSQL
PSPY
Gobuster finds /bugtracker with MantisBT 2.0. Exploit CVE-2017-12419 for MySQL credentials, crack a hash and get www-data via RCE. Mysqldump process runs with credentials and can be reused. Escalate using sudo.
OFFSEC - Proving Grounds - FRACTAL
·3258 words·16 mins
OFFSEC PG PRACTICE
SYMFONY PROFILER
PROFTPD
MYSQL
SSH-KEYGEN
Exploit Symfony 3.4.46 on port 80 via /_fragment RCE for initial access. Use MySQL creds from proftpd to add benoit user, log in via FTP, add SSH key, and escalate to root with sudo.
OFFSEC - Proving Grounds - DETECTION
·1087 words·6 mins
OFFSEC PG PRACTICE
CHANGEDETECTION
Exploit RCE in changedetection v0.45.1 on port 5000 to gain initial access as the root user.
OFFSEC - Proving Grounds - SYNAPSE
·3175 words·15 mins
OFFSEC PG PRACTICE
SSI
JOHN
GPG2JOHN
MD5SUM
SOCAT
Synapse web app on port 80 allows SSI abuse via profile picture upload. Gain www-data access, crack GPG key to become mindsflee user, then use sudo synapse_commander.py with socat to escalate to root.
OFFSEC - Proving Grounds - COBBLES
·2914 words·14 mins
OFFSEC PG PRACTICE
ZONEMINDER
HAPROXY
DOCKER ESCAPE
Gain initial access via credentials or ZoneMinder exploit. As www-data, exploit HAProxy failover to access backup server as root in Docker. Escalate by copying bash to shared mount for host root access.
OFFSEC - Proving Grounds - SIROL
·2888 words·14 mins
OFFSEC PG PRACTICE
KIBANA
GLUSTERFS
DOCKER ESCAPE
Exploit Kibana 6.5.0 (CVE-2019-7609) for initial access, then mount the host filesystem to get root or exploit glusterfs (CVE-2018-1088) to escalate to root via a created cronjob.
OFFSEC - Proving Grounds - OUTDATED
·2359 words·12 mins
OFFSEC PG PRACTICE
MPDF
EXIFTOOL
CHISEL
WEBMIN
SSH or initial access by exploiting the website using mPDF 6.0 and downloading credentials, reuse creds for Webmin on port 10000 to escalate to root.
OFFSEC - Proving Grounds - RUBYDOME
·1773 words·9 mins
OSCP
OFFSEC PG PRACTICE
PDFKIT
Access target via SSH or exploit CVE-2022-25765 on port 3000. Gain initial access as the andrew user, escalate to root via sudo ruby script.
OFFSEC - Proving Grounds - PYLOADER
·1286 words·7 mins
OSCP
OFFSEC PG PRACTICE
PYLOAD
Exploit CVE-2023-0297 on pyload (port 9666) via unauthenticated RCE to gain root access.
OFFSEC - Proving Grounds - BITFORGE
·4120 words·20 mins
OSCP
OFFSEC PG PRACTICE
SIMPLE ONLINE PLANNING
GIT
GIT-DUMPER
MYSQL
PSPY
FLASK
Git on port 80 leaks MySQL credentials. RCE in Simple Planning v1.52.01 for initial access, with pspy64 find jack’s credentials and changing flask script escalates to root.
OFFSEC - Proving Grounds - BOOLEAN
·2045 words·10 mins
OSCP
OFFSEC PG PRACTICE
SSH-KEYGEN
BURP
Login screen can be bypassed via register JSON tweak and provides access remi’s .ssh directory. Upload our own SSH key for initial access and get root’s private key for privilege escalation.
OFFSEC - Proving Grounds - LAVITA
·2978 words·14 mins
OSCP
OFFSEC PG PRACTICE
LARAVEL
SSH in or exploit Laravel 8.4.0 with APP_DEBUG is set to true to gain www-data access. Abuse skunk’s script to escalate to skunk and use sudo /usr/bin/composer to edit composer.json to escalate privileges.
OFFSEC - Proving Grounds - PLUM
·1456 words·7 mins
OSCP
OFFSEC PG PRACTICE
PLUXML
PluXml on port 80 uses weak credentials. Edit page to add PHP reverse shell for initial access. Find root password in /var/mail/www-data.
OFFSEC - Proving Grounds - VMDAK
·3176 words·15 mins
OSCP
OFFSEC PG PRACTICE
PRISON MANAGEMENT SYSTEM
MYSQL
CHISEL
JENKINS
BURP
Prison management system on port 9443 vulnerable to SQL injection & RCE once initial access got MySQL creds and SSH in. Using port forward on 8080 we can exploit Jenkins (CVE-2024-23897) for root.
OFFSEC - Proving Grounds - SPX
·2018 words·10 mins
OSCP
OFFSEC PG PRACTICE
TINY FILE MANAGER
MAKE
Tiny File Manager 2.5.3 on port 80; Exploiting CVE-2024-42007 and uploaded PHP reverse shell gives initial access, making own Makefile to set SUID on /bin/bash escalates our privileges
OFFSEC - Proving Grounds - IMAGE
·1245 words·6 mins
OSCP
OFFSEC PG PRACTICE
IMAGEMAGICK
ImageMagick 6.9.6-4 on port 80 exploited for initial access. SUID on the strace binary leads to root privilege escalation.
OFFSEC - Proving Grounds - BLACKGATE
·1478 words·7 mins
OSCP
OFFSEC PG PRACTICE
REDIS
PWNKIT
Redis 4.0.14 on port 6379 exploited for initial access. linpeas.sh reveals pwnkit vulnerability (CVE-2021-4034) which leads to privilege escalation.
OFFSEC - Proving Grounds - ZIPPER
·1811 words·9 mins
OSCP
OFFSEC PG PRACTICE
PHPWRAPPER
PSPY
Zipper website on port 80 allows file uploads. Use ZIP PHP wrapper for initial access and escalate to root via /opt/backup.sh script.
OFFSEC - Proving Grounds - OCHIMA
·1818 words·9 mins
OSCP
OFFSEC PG PRACTICE
MALTRAIL
PSPY
Maltrail 0.52 on port 8338 allows unauthenticated RCE, granting initial access. Exploit /var/backups/etc_Backup.sh as it’s run by root every minute, to escalate to root privileges.
OFFSEC - Proving Grounds - WORKAHOLIC
·2806 words·14 mins
OSCP
OFFSEC PG PRACTICE
WPPROBE
SQLMAP
HASHCAT
FTP
STRACE
GCC
Use OFFSEC creds or scan Wordpress. Exploit a Wordpress vulnerability (CVE-2024-9796), crack hashes for charlie/ted. FTP as ted and SSH in as charlie. Escalate to root via SUID binary with custom shared object.
OFFSEC - Proving Grounds - TWIGGY
·1213 words·6 mins
OSCP
OFFSEC PG PRACTICE
PYTHON VENV
SALTSTACK
SaltStack on port 8000 is vulnerable for CVE-2020-11651 & CVE-2020-11652 RCE exploit, enabling root reverse shell access.
OFFSEC - Proving Grounds - SCRUTINY
·2638 words·13 mins
OSCP
OFFSEC PG PRACTICE
VHOST
JOHN
SSH2JOHN
TEAMCITY
Initial access via OFFSEC credentials or TeamCity CVE-2024-27198 exploit, get id_rsa key for marcot and password of multiple users. Briand runs /usr/bin/systemctl as root, escalate to root using GTFOBins.
OFFSEC - Proving Grounds - PRESS
·1470 words·7 mins
OSCP
OFFSEC PG PRACTICE
MAGIC BYTE
FlatPress on port 8089 allows login with weak credentials, PHP reverse shell upload via GIF magic byte, and privilege escalation to root using sudo apt-get.
OFFSEC - Proving Grounds - FLU
·2194 words·11 mins
OSCP
OFFSEC PG PRACTICE
CONFLUENCE
PSPY
Atlassian Confluence 7.13.6 on port 8090 has CVE-2022-26134 exploit for initial access. Add reverse shell to script for root privileges.
OFFSEC - Proving Grounds - EXTPLORER
·2184 words·11 mins
OSCP
OFFSEC PG PRACTICE
EXTPLORER
HASHCAT
GROUP DISK
eXtplorer application on port 80 with weak credentials which allows PHP reverse shell. As www-data, we can’t read local.txt. Crack dora’s hash, switch to dora in disk group, read proof.txt.
OFFSEC - Proving Grounds - CLUE
·2656 words·13 mins
OSCP
OFFSEC PG PRACTICE
CASSANDRA WEB
FREESWITCH
Remote file read on Cassandra Web (port 3000) exposes cassie credentials. RCE via FreeSwitch (8021). As cassie, run cassandra-web as root, get a RSA key and login as root.
OFFSEC - Proving Grounds - HUB
·1491 words·7 mins
OSCP
OFFSEC PG PRACTICE
FUGUHUB
FuguHub 8.4 on port 8082 is vulnerable to RCE exploit (CVE-2024-27697), granting direct root access.
OFFSEC - Proving Grounds - FIRED
·1665 words·8 mins
OSCP
OFFSEC PG PRACTICE
OPENFIRE
OpenFire 4.7.3 on port 9090 is vulnerable to CVE-2023-32315. Exploit and upload a .jar plugin for RCE. Root password found in script file to escalate privileges.
OFFSEC - Proving Grounds - CRANE
·1533 words·8 mins
OSCP
OFFSEC PG PRACTICE
SUITECRM
SuiteCRM on port 80 has weak admin:admin credentials. Use CVE-2022–23940 for RCE, then escalate to root via sudo /usr/sbin/service
OFFSEC - Proving Grounds - CODO
·1433 words·7 mins
OSCP
OFFSEC PG PRACTICE
CODOFORUM
GOBUSTER
Codoforum on port 80 uses weak credentials. Exploit CVE-2022-31854 to upload malicious PHP logo, gain initial access and find root password in /var/www/html.
OFFSEC - Proving Grounds - JORDAK
·1584 words·8 mins
OSCP
OFFSEC PG PRACTICE
JORANI
Jorani v1.0.0 on port 80 vulnerable to CVE-2023-26469, allows path traversal and code execution. User jordak has sudo access to /usr/bin/env, enabling root privilege escalation.
OFFSEC - Proving Grounds - LAW
·1640 words·8 mins
OSCP
OFFSEC PG PRACTICE
PSPY
Exploit CVE-2022-35914 on htmLawed 1.2.5 (port 80) with curl for RCE, get www-data shell. Pspy finds root script owned by www-data, run every minute. Add reverse shell, wait for root shell.
OFFSEC - Proving Grounds - WALLA
·1817 words·9 mins
OFFSEC PG PRACTICE
WFUZZ
PWNKIT
WFUZZ login credentials on port 8091, exploited RaspAP 2.5, CVE-2020-24572, then gained root via PwnKit.
OFFSEC - Proving Grounds - SNOOKUMS
·2366 words·12 mins
OFFSEC PG PRACTICE
MYSQL
OPENSSL
PHP Gallery v0.8 has a RFI flaw. Use PHP shell, get michael’s MySQL creds, SSH in, find writable /etc/passwd via linpeas, set root password with OpenSSL and gain root.
OFFSEC - Proving Grounds - QUACKERJACK
·2479 words·12 mins
OFFSEC PG PRACTICE
RCONFIG
rConfig on port 8081 has SQLi leaking admin hash. CrackStation decrypts it for credentials. CVE-2019-19509 grants access. SUID find binary escalates to root.
OFFSEC - Proving Grounds - ASTRONAUT
·1519 words·8 mins
OSCP
OFFSEC PG PRACTICE
GRAVCMS
SSH with provided credentials or exploit GravCMS on port 80. Use SUID bit on php7.4 binary to escalate to root.
OFFSEC - Proving Grounds - BRATARINA
·1349 words·7 mins
OFFSEC PG PRACTICE
OPENSTMPD
SSH access with OFFSEC credentials or exploit OpenSTMPD on port 25 for remote code execution as root.
OFFSEC - Proving Grounds - PC
·1370 words·7 mins
OSCP
OFFSEC PG PRACTICE
RPC
SSH or browser terminal on port 8000 for initial access. Escalate privileges via RPC server running as root using Python exploit script (CVE-2022-35411) to gain root access.
OFFSEC - Proving Grounds - NUKEM
·2010 words·10 mins
OFFSEC PG PRACTICE
WORDPRESS
DOSBOX
Access target via SSH or exploit WordPress with wpscan using simple-file-list vuln. Get http user, find commander creds in wp-config.php, use SUID dosbox for root.
OFFSEC - Proving Grounds - APEX
·2792 words·14 mins
OFFSEC PG PRACTICE
OPENEMR
MYSQL
FILEMANAGER
GOBUSTER
Exploit filemanager vuln on port 80 for OpenEMR SQL creds. Login to MySQL, get admin hash for app access. Use app exploit for initial access, reuse password for root escalation.
OFFSEC - Proving Grounds - NIBBLES
·1680 words·8 mins
OFFSEC PG PRACTICE
POSTGRES
PostgreSQL port open, default creds allow login. Command execution (9.3+) runs reverse shell for access. SUID find enables root escalation.
OFFSEC - Proving Grounds - LEVRAM
·1982 words·10 mins
OSCP
OFFSEC PG PRACTICE
GERAPY
Port 8000 redirects to GERAPY v0.9.7 login. Use default credentials for access. Auth RCE grants initial access. /usr/bin/python3.10 with cap_setuid=ep gives root.
OFFSEC - Proving Grounds - EXFILTRATED
·2598 words·13 mins
OSCP
OFFSEC PG PRACTICE
SUBRION CMS
PWNKIT
EXIFTOOL
SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.
OFFSEC - Proving Grounds - COCKPIT
·1370 words·7 mins
OSCP
OFFSEC PG PRACTICE
TAR
GOBUSTER
SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.
OFFSEC - Proving Grounds - PELICAN
·2073 words·10 mins
OSCP
OFFSEC PG PRACTICE
GCORE
Exploitable Exhibitor for ZooKeeper on port 8080. Initial access user has gcore sudo privileges, can dump password-store process to reveal root credentials.
OFFSEC - Proving Grounds - ZINO
·2524 words·12 mins
OFFSEC PG PRACTICE
NXC SMB
SMBCLIENT
Access server with SMB file and use a Python exploit for PHP webshell in Booked Scheduler. Escalate to root via cronjob.