PSPY · HEKK

OFFSEC - Proving Grounds - MANTIS

30 August 2025·3303 words·16 mins

OFFSEC PG PRACTICE GOBUSTER MANTISBT MYSQL PSPY

Gobuster finds /bugtracker with MantisBT 2.0. Exploit CVE-2017-12419 for MySQL credentials, crack a hash and get www-data via RCE. Mysqldump process runs with credentials and can be reused. Escalate using sudo.

OFFSEC - Proving Grounds - BITFORGE

24 August 2025·4120 words·20 mins

OSCP OFFSEC PG PRACTICE SIMPLE ONLINE PLANNING GIT GIT-DUMPER MYSQL PSPY FLASK

Git on port 80 leaks MySQL credentials. RCE in Simple Planning v1.52.01 for initial access, with pspy64 find jack’s credentials and changing flask script escalates to root.

OFFSEC - Proving Grounds - ZIPPER

17 August 2025·1811 words·9 mins

OSCP OFFSEC PG PRACTICE PHPWRAPPER PSPY

Zipper website on port 80 allows file uploads. Use ZIP PHP wrapper for initial access and escalate to root via /opt/backup.sh script.

OFFSEC - Proving Grounds - OCHIMA

17 August 2025·1818 words·9 mins

OSCP OFFSEC PG PRACTICE MALTRAIL PSPY

Maltrail 0.52 on port 8338 allows unauthenticated RCE, granting initial access. Exploit /var/backups/etc_Backup.sh as it’s run by root every minute, to escalate to root privileges.

OFFSEC - Proving Grounds - FLU

15 August 2025·2194 words·11 mins

OSCP OFFSEC PG PRACTICE CONFLUENCE PSPY

Atlassian Confluence 7.13.6 on port 8090 has CVE-2022-26134 exploit for initial access. Add reverse shell to script for root privileges.

OFFSEC - Proving Grounds - LAW

4 August 2025·1640 words·8 mins

OSCP OFFSEC PG PRACTICE PSPY

Exploit CVE-2022-35914 on htmLawed 1.2.5 (port 80) with curl for RCE, get www-data shell. Pspy finds root script owned by www-data, run every minute. Add reverse shell, wait for root shell.