HASHCAT

OFFSEC - Proving Grounds - WHEELS

21 September 2025·1818 words·9 mins

OFFSEC PG PRACTICE XPATH HASHCAT

Wheels CarService website on port 80 has XPATH injection vulnerability which leads to gaining credentials for initial access. SUID on a binary with path traversal vulnerability to dump /etc/shadow. Crack hash with hashcat to gain root.

OFFSEC - Proving Grounds - GROOVE

19 September 2025·1418 words·7 mins

OFFSEC PG PRACTICE CHURCHCRM SQLMAP HASHCAT

ChurchCRM 4.5.1 on port 80 has weak credentials. Using an SQL injection via sqlmap reveals the root hash. Cracking it grants root access.

OFFSEC - Proving Grounds - GRAPH

7 September 2025·2351 words·12 mins

OFFSEC PG PRACTICE GRAPHQL CURL BURP HASHCAT MKPASSWD

On port 80 is a graphql endpoint with SQL injection and gets hashes. Crack one for initial access. Python script with newline injection sets josh password. As josh, read /etc/shadow, crack root’s hash and escalate to root.

OFFSEC - Proving Grounds - WORKAHOLIC

16 August 2025·2806 words·14 mins

OSCP OFFSEC PG PRACTICE WPPROBE SQLMAP HASHCAT FTP STRACE GCC

Use OFFSEC creds or scan Wordpress. Exploit a Wordpress vulnerability (CVE-2024-9796), crack hashes for charlie/ted. FTP as ted and SSH in as charlie. Escalate to root via SUID binary with custom shared object.

OFFSEC - Proving Grounds - EXTPLORER

15 August 2025·2184 words·11 mins

OSCP OFFSEC PG PRACTICE EXTPLORER HASHCAT GROUP DISK

eXtplorer application on port 80 with weak credentials which allows PHP reverse shell. As www-data, we can’t read local.txt. Crack dora’s hash, switch to dora in disk group, read proof.txt.