SSH-KEYGEN

OFFSEC - Proving Grounds - AIR

12 September 2025·2962 words·14 mins

OFFSEC PG PRACTICE ARIA2 WEBUI CHISEL SSH-KEYGEN

Aria2 WebUI on port 8888 is vulnerable to path traversal (CVE-2023-39141). Steal deathflash SSH key for initial access, find RPC key, forward port 6800 with chisel, configure app, upload SSH key to root for root access.

OFFSEC - Proving Grounds - SORCERER

7 September 2025·1918 words·10 mins

OFFSEC PG PRACTICE GOBUSTER SSH-KEYGEN SCP

Zipfiles on port 7742 contain users home directories. A found id_rsa key allows scp only. Upload authorized_keys, gain SSH access, and use SUID binary to escalate to root.

OFFSEC - Proving Grounds - CHARLOTTE

6 September 2025·4141 words·20 mins

OFFSEC PG PRACTICE SHOWMOUNT GOBUSTER BURP EJS SSH-KEYGEN

Use credentials or mount shares for application code. Leak creds via nginx (80) using BURP. Exploit RCE as www-data. Deploy JS to abuse a cronjob and move laterally. Escalate to root with sudo/bash.

OFFSEC - Proving Grounds - FRACTAL

30 August 2025·3258 words·16 mins

OFFSEC PG PRACTICE SYMFONY PROFILER PROFTPD MYSQL SSH-KEYGEN

Exploit Symfony 3.4.46 on port 80 via /_fragment RCE for initial access. Use MySQL creds from proftpd to add benoit user, log in via FTP, add SSH key, and escalate to root with sudo.

OFFSEC - Proving Grounds - BOOLEAN

23 August 2025·2045 words·10 mins

OSCP OFFSEC PG PRACTICE SSH-KEYGEN BURP

Login screen can be bypassed via register JSON tweak and provides access remi’s .ssh directory. Upload our own SSH key for initial access and get root’s private key for privilege escalation.