GOBUSTER

OFFSEC - Proving Grounds - BANZAI

21 September 2025·2971 words·14 mins

OFFSEC PG PRACTICE HYDRA GOBUSTER MYSQL MYSQL UDF GCC

FTP on port 21 with weak credentials holds web dirirectory for port 8295. Upload PHP shell to gain initial access. MySQL UDF exploit sets SUID on bash and allows us to escalates to root.

OFFSEC - Proving Grounds - SORCERER

7 September 2025·1918 words·10 mins

OFFSEC PG PRACTICE GOBUSTER SSH-KEYGEN SCP

Zipfiles on port 7742 contain users home directories. A found id_rsa key allows scp only. Upload authorized_keys, gain SSH access, and use SUID binary to escalate to root.

OFFSEC - Proving Grounds - CHARLOTTE

6 September 2025·4141 words·20 mins

OFFSEC PG PRACTICE SHOWMOUNT GOBUSTER BURP EJS SSH-KEYGEN

Use credentials or mount shares for application code. Leak creds via nginx (80) using BURP. Exploit RCE as www-data. Deploy JS to abuse a cronjob and move laterally. Escalate to root with sudo/bash.

OFFSEC - Proving Grounds - PHOBOS

3 September 2025·2992 words·15 mins

OFFSEC PG PRACTICE GOBUSTER SVN BURP PWNKIT MONGODB PYMONGO

Find svn directory on port 80, enumerate logs for hostname. Register user and exploit code for LFI/RCE and initial access, use pwnkit (CVE-2021-4034) or crack root SHA-512 from MongoDB to escalate to root.

OFFSEC - Proving Grounds - MANTIS

30 August 2025·3303 words·16 mins

OFFSEC PG PRACTICE GOBUSTER MANTISBT MYSQL PSPY

Gobuster finds /bugtracker with MantisBT 2.0. Exploit CVE-2017-12419 for MySQL credentials, crack a hash and get www-data via RCE. Mysqldump process runs with credentials and can be reused. Escalate using sudo.

OFFSEC - Proving Grounds - CODO

14 August 2025·1433 words·7 mins

OSCP OFFSEC PG PRACTICE CODOFORUM GOBUSTER

Codoforum on port 80 uses weak credentials. Exploit CVE-2022-31854 to upload malicious PHP logo, gain initial access and find root password in /var/www/html.

OFFSEC - Proving Grounds - APEX

20 July 2025·2792 words·14 mins

OFFSEC PG PRACTICE OPENEMR MYSQL FILEMANAGER GOBUSTER

Exploit filemanager vuln on port 80 for OpenEMR SQL creds. Login to MySQL, get admin hash for app access. Use app exploit for initial access, reuse password for root escalation.

OFFSEC - Proving Grounds - COCKPIT

15 July 2025·1370 words·7 mins

OSCP OFFSEC PG PRACTICE TAR GOBUSTER

SQL inject login to get admin & additional creds. Use credentials in Ubuntu Web Console. Exploit sudo tar wildcard to escalate to root.