Home Pwned1 Medium box on Offensive Security Proving Grounds - OSCP Preparation.
Post
Cancel

Pwned1 Medium box on Offensive Security Proving Grounds - OSCP Preparation.

By bing0o
Posted 2021-12-22 1 min read

Hello,

We are going to exploit one of OffSec Proving Grounds Medium machines which called Pwned1 and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.

Enumeration:

  • Nmap: image

  • Reading /robots.txt:

image

  • We got a list of possible paths on the server on /hidden_text/secret.dic image

  • Running gobuster using that list: image

  • Checking the source code of that page:
    • we have a user and password: ftpuser:B0ss_Pr!ncesS: image
  • Login to ftp:

image

  • Downloading id_rsa and notes.txt files to our local machine: image

  • Getting Shell through SSH: image

Privilege Escalation:

  • Enumeration:
    • sudo -l: we can run /home/messenger.sh script as selena without password.

    image

    • Reading /home/messenger.sh file:

    image

  • Getting shell as selena user:
1

sudo -u selena /home/messenger.sh

image

  • As you can see in the screenshot above, we are a part of docker group, so let’s exploit that:
1

docker run -v /:/mnt -it alpine

image

Happy Hacking!

OSCP, Proving Grounds
oscp medium box PG medium box enumeration ftp misc privilege escalation docker linux
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

NoName Medium box on Offensive Security Proving Grounds - OSCP Preparation.

ClamAV Easy box on Offensive Security Proving Grounds - OSCP Preparation.

Comments powered by Disqus.