[roothackinwithpj131 ~]$

Latest Write-ups

proving-grounds linux web ssh-keys sudo tar-wildcard gtfobins

Proving Grounds - Cockpit

Box Overview Cockpit is a Linux machine from Offensive Security’s Proving Grounds that demonstrates web enumeration, SSH key injection via a web management interface, and sudo privilege escalation through tar wildcard exploitation. Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.227.10 -T4 -oN first.scan -p- Open Ports: 22/tcp - SSH (OpenSSH 8.2p1 Ubuntu) 80/tcp - HTTP (Apache 2.4.41) 9090/tcp - SSL/zeus-admin (Web management interface) Web Enumeration Port 80 - Apache Initial inspection revealed a static template website with no obvious vulnerabilities.

Read more ?
proving-grounds linux flatpress rce webshell sudo apt-get gtfobins

Proving Grounds - Press

Box Overview Press is a Linux machine from Offensive Security’s Proving Grounds featuring exploitation of FlatPress CMS and privilege escalation through apt-get sudo misconfiguration. Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.227.29 -T4 -oN first.scan -p- Open Ports: 22/tcp - SSH (OpenSSH 8.4p1 Debian) 80/tcp - HTTP (Apache 2.4.56) - “Lugx Gaming Shop HTML5 Template” 8089/tcp - HTTP (Apache 2.4.56) - FlatPress fp-1.2.1 ✅ Service Identification Port 8089 is running FlatPress - a flat-file blogging engine (no database required).

Read more ?
proving-grounds linux fuguhub webdav rce cve-2023-24078 lua

Proving Grounds - Hub

Box Overview Hub is a Linux machine from Offensive Security’s Proving Grounds featuring FuguHub - a web-based file server with an unauthenticated remote code execution vulnerability. This box demonstrates the importance of patching known CVEs and proper authentication mechanisms. Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.229.25 -T4 -oN first.scan Open Ports: 22/tcp - SSH (OpenSSH 8.4p1 Debian) 80/tcp - HTTP (nginx 1.18.0) - 403 Forbidden 8082/tcp - HTTP (Barracuda Embedded Web Server) - FuguHub 9999/tcp - HTTPS (Barracuda Embedded Web Server) - FuguHub SSL Service Analysis Port 8082 - FuguHub Interesting findings:

Read more ?
proving-grounds windows h2-database rce seimpersonate metasploit potato

Proving Grounds - Jacko

Box Overview Jacko is a Windows machine from Offensive Security’s Proving Grounds demonstrating H2 Database exploitation for remote code execution and privilege escalation via SeImpersonate token abuse. Difficulty: Intermediate (though arguably easier) Enumeration Nmap Scan sudo nmap -sS -sC -A [TARGET_IP] -T4 -oN first.scan -p- Key ports identified: Port 8082 - H2 Database Console (web interface) Port 22 - SSH Additional Windows services H2 Database Console - Port 8082 Accessing http://[TARGET_IP]:8082 reveals the H2 Database Console - a web-based SQL interface.

Read more ?
proving-grounds windows active-directory file-upload htaccess kerberoasting semanagevolume privilege-escalation

Proving Grounds - Access

Box Overview Access is a Windows Active Directory machine from Offensive Security’s Proving Grounds featuring file upload bypass, Kerberoasting attacks, and privilege escalation via SeManageVolumePrivilege exploitation. Domain: access.offsec Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.229.187 -T4 -oN first.scan -p- Open Ports: 53/tcp - DNS 80/tcp - HTTP (Apache 2.4.48 - XAMPP) 88/tcp - Kerberos 135/tcp - MSRPC 139/445/tcp - SMB 389/636/tcp - LDAP 5985/tcp - WinRM 9389/tcp - .

Read more ?
proving-grounds linux parameter-tampering lfi ssh-key-injection lateral-movement

Proving Grounds - Boolean

Box Overview Boolean is a Linux machine from Offensive Security’s Proving Grounds featuring parameter tampering for authentication bypass, local file inclusion, SSH key injection, and lateral movement to root via stored SSH keys. Enumeration Nmap Scan nmap -sS -sC -A -T4 -oN first.scan -p- 192.168.229.231 Open Ports: 22/tcp - SSH (OpenSSH 7.9p1 Debian) 80/tcp - HTTP (Custom web application - “Boolean”) 3000/tcp - Closed (ppp) 33017/tcp - HTTP (Apache 2.4.38 - “Development”) Web Enumeration Port 80 - Boolean Application Main application redirects to /login page.

Read more ?
proving-grounds windows squid-proxy phpmyadmin webshell fullpowers printspoofer seimpersonate

Proving Grounds - Squid

Box Overview Squid is a Windows machine from Offensive Security’s Proving Grounds featuring Squid proxy enumeration, PHPMyAdmin exploitation, and privilege escalation through SeImpersonate token abuse using FullPowers and PrintSpoofer. Enumeration Nmap Scan sudo nmap -sS -sC -A 192.168.229.189 -T4 -oN first.scan -p- Open Ports: 135/tcp - Microsoft Windows RPC 139/tcp - NetBIOS-SSN 445/tcp - SMB 3128/tcp - Squid HTTP Proxy 4.14 ✅ 49666-49667/tcp - Microsoft Windows RPC Squid Proxy Enumeration Port 3128 is running Squid Proxy - a caching and forwarding HTTP proxy.

Read more ?