Box Overview Cockpit is a Linux machine from Offensive Security’s Proving Grounds that demonstrates web enumeration, SSH key injection via a web management interface, and sudo privilege escalation through tar wildcard exploitation.
Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.227.10 -T4 -oN first.scan -p- Open Ports:
22/tcp - SSH (OpenSSH 8.2p1 Ubuntu) 80/tcp - HTTP (Apache 2.4.41) 9090/tcp - SSL/zeus-admin (Web management interface) Web Enumeration Port 80 - Apache Initial inspection revealed a static template website with no obvious vulnerabilities.
Box Overview Hub is a Linux machine from Offensive Security’s Proving Grounds featuring FuguHub - a web-based file server with an unauthenticated remote code execution vulnerability. This box demonstrates the importance of patching known CVEs and proper authentication mechanisms.
Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.229.25 -T4 -oN first.scan Open Ports:
22/tcp - SSH (OpenSSH 8.4p1 Debian) 80/tcp - HTTP (nginx 1.18.0) - 403 Forbidden 8082/tcp - HTTP (Barracuda Embedded Web Server) - FuguHub 9999/tcp - HTTPS (Barracuda Embedded Web Server) - FuguHub SSL Service Analysis Port 8082 - FuguHub Interesting findings:
Box Overview Boolean is a Linux machine from Offensive Security’s Proving Grounds featuring parameter tampering for authentication bypass, local file inclusion, SSH key injection, and lateral movement to root via stored SSH keys.
Enumeration Nmap Scan nmap -sS -sC -A -T4 -oN first.scan -p- 192.168.229.231 Open Ports:
22/tcp - SSH (OpenSSH 7.9p1 Debian) 80/tcp - HTTP (Custom web application - “Boolean”) 3000/tcp - Closed (ppp) 33017/tcp - HTTP (Apache 2.4.38 - “Development”) Web Enumeration Port 80 - Boolean Application Main application redirects to /login page.
Enumeration Nmap Scan Initial reconnaissance revealed the following services:
nmap -sC -sV -p- 10.10.11.136 Key findings:
Port 22: SSH (OpenSSH 8.9p1) Port 80: HTTP (Apache 2.4.52) Port 161: SNMP (UDP) Web Enumeration The main website at port 80 appeared to be a basic company page. Technology profiling suggested WordPress, but further investigation proved otherwise.
Crawling & Fuzzing Attempted various enumeration techniques:
Directory fuzzing with ffuf Vhost enumeration Content crawling with ReconSpider All paths led nowhere, suggesting the need to pivot to other services.
Box Overview 0Day is a medium-rated TryHackMe box with the description: “Exploit Ubuntu, like a Turtle in a Hurricane”
This writeup covers exploiting the Shellshock vulnerability (CVE-2014-6271) for initial access and leveraging an overlayfs kernel exploit for privilege escalation.
Enumeration Nmap Scan Initial port scan reveals two open services:
nmap -sC -sV -oA nmap/initial [TARGET_IP] Results:
Port 22: SSH (OpenSSH) Port 80: HTTP (Apache httpd 2.4.7 Ubuntu) Web Enumeration The website displays a single static page with no immediately useful information.