Pwning Photographer!!- OSCP Type Machine Write-up

This is one of the intermediate machine from Offensive Security Proving Grounds!. So let’s dive in as per our goal.


Okay so…


Exporting IP as environment variable and scanned victim’s machine quietly ;-) the results are:

After a shot on port 80, we got:

Same procedure goes with http on port 8000 as shown:

Similarly following the same for Directories as well for port 80,8000.

Found $IP:8000/admin through above results and creds from smb port enumeration, the password as baby####

(I left these symbols to be replaced by your investigation ;-)))

After successful login, import content functionality was allowed, so I uploaded php reverse shell with .jpg entension and intercepted the request with burp and changed the file name back from php-rev-shell.php.jpg back to php-rev-shell.php

After executing the file on the web page, my nc was listening on my machine, and yeah we got a reverse shell

Enumerating the victim’s machine initials:

During reconnaissance, below is the user.txt flag


So after enumerating the target, I checked for SUID binaries and surprisingly found /usr/bin/php7.2

php7.2 was set to suid and we can easily escalate our privileges by using php7.2 like this:

/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

Annddd!!! we are root!!!!

That’s all for now!!

Until Next Time,

“Hugs are more powerful than Handshakes”

— — — — — — — — — — — — —

For any suggestions or queries, ping me:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |