PWNKIT

OFFSEC - Proving Grounds - POSTFISH

12 October 2025·3193 words·15 mins

OFFSEC PG PRACTICE SMTP-USER-ENUM USERNAME_GENERATOR HYDRA IMAP IMAPS SENDEMAIL PWNKIT

Website PostFish on port 80 and SMTP on port 25 reveal usernames. Hydra finds credentials, sending an email with a reset link grants brian access. Pwnkit (CVE-2021-4034) escalates to root.

OFFSEC - Proving Grounds - DEVELOP

11 October 2025·4146 words·20 mins

OFFSEC PG PRACTICE GIT TCPDUMP COMMAND INJECTION IFS PYTHON WEBSERVER POST PWNKIT

Access Git repository on port 80 for credentials, login application on port 8080 and use command injection to retrieve a SSH key. Exploit CVE-2021-4034 to become root.

OFFSEC - Proving Grounds - SYBARIS

10 October 2025·1959 words·10 mins

OFFSEC PG PRACTICE FTP REDIS NXC PWNKIT

FTP on port 21 allows anonymous login and is writable. Redis 5.0.9 on port 6379 is exploitable by uploading a Redis module via FTP and exploit Redis for pablo access, then use pwnkit (CVE-2021-4034) to escalate to root.

OFFSEC - Proving Grounds - SPLODGE

5 October 2025·2019 words·10 mins

OFFSEC PG PRACTICE GIT GIT-DUMPER PYTHON_VIRTUAL_ENVIRONMENT PREG_REPLACE PWNKIT

Git repository on port 80 yields password via git-dumper. Login to admin panel on 8080, exploit preg_replace for initial access. Use pwnkit (CVE-2021-4034) to get root.

OFFSEC - Proving Grounds - BUNYIP

20 September 2025·3095 words·15 mins

OFFSEC PG PRACTICE PWNKIT

S3cur3 r3pl application on port 8000 is vulnerable to MD5 length extension, exploiting this gives initial access. Pwnkit (CVE-2021-4034) escalates to root.

OFFSEC - Proving Grounds - SPAGHETTI

19 September 2025·2624 words·13 mins

OFFSEC PG PRACTICE IRC PYBOT PWNKIT

IRC server on port 6667, message to bot gives access to source code. Analyzing code gives code exeecution and initial access. Pwnkit exploit used to escalate to root.

OFFSEC - Proving Grounds - PEPPO

14 September 2025·1634 words·8 mins

OFFSEC PG PRACTICE IDENT-USER-ENUM RBASH ED PWNKIT

Ident on port 113 reveals process owner eleanor on port 10000. SSH access via weak credentials to get initial access in rbash, escape rbash using ed, set PATH and exploit pwnkit (CVE-2021-4034) to gain root.

OFFSEC - Proving Grounds - PHOBOS

3 September 2025·2992 words·15 mins

OFFSEC PG PRACTICE GOBUSTER SVN BURP PWNKIT MONGODB PYMONGO

Find svn directory on port 80, enumerate logs for hostname. Register user and exploit code for LFI/RCE and initial access, use pwnkit (CVE-2021-4034) or crack root SHA-512 from MongoDB to escalate to root.

OFFSEC - Proving Grounds - BLACKGATE

18 August 2025·1478 words·7 mins

OSCP OFFSEC PG PRACTICE REDIS PWNKIT

Redis 4.0.14 on port 6379 exploited for initial access. linpeas.sh reveals pwnkit vulnerability (CVE-2021-4034) which leads to privilege escalation.

OFFSEC - Proving Grounds - WALLA

3 August 2025·1817 words·9 mins

OFFSEC PG PRACTICE WFUZZ PWNKIT

WFUZZ login credentials on port 8091, exploited RaspAP 2.5, CVE-2020-24572, then gained root via PwnKit.

OFFSEC - Proving Grounds - EXFILTRATED

17 July 2025·2598 words·13 mins

OSCP OFFSEC PG PRACTICE SUBRION CMS PWNKIT EXIFTOOL

SSH or Subrion CMS 4.2.1 file upload for access. Run linpeas to find CVE-2021-4034 (PwnKit) & cronjob with exiftool (CVE-2021-22204) for root.