Pwning Photographer!!- OSCP Type Machine Write-up

This is one of the intermediate machine from Offensive Security Proving Grounds!. So let’s dive in as per our goal.


Okay so…


Exporting IP as environment variable and scanned victim’s machine quietly ;-) the results are:

After a shot on port 80, we got:

Same procedure goes with http on port 8000 as shown:

Similarly following the same for Directories as well for port 80,8000.

Found $IP:8000/admin through above results and creds from smb port enumeration, the password as baby####

(I left these symbols to be replaced by your investigation ;-)))

After successful login, import content functionality was allowed, so I uploaded php reverse shell with .jpg entension and intercepted the request with burp and changed the file name back from php-rev-shell.php.jpg back to php-rev-shell.php

After executing the file on the web page, my nc was listening on my machine, and yeah we got a reverse shell

Enumerating the victim’s machine initials:

During reconnaissance, below is the user.txt flag


So after enumerating the target, I checked for SUID binaries and surprisingly found /usr/bin/php7.2

php7.2 was set to suid and we can easily escalate our privileges by using php7.2 like this:

/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

Annddd!!! we are root!!!!

That’s all for now!!

Until Next Time,

“Hugs are more powerful than Handshakes”

— — — — — — — — — — — — —

For any suggestions or queries, ping me:




Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Large Firms: What role for the Group CISO?

Bypassing EPP — Chapter 2

The need for Decentralized Identity

Cross Site Scripting or XSS

{UPDATE} BNK48 Oshi Festival Hack Free Resources Generator

Breached Password Detection: How to Lock User Accounts with a Webhook

How to wrap TRC-10 BTZC to TRC-20 wBTZC

Hacking Bill Joel Blog — TryHackMe

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

[Day 13] Networking They Lost The Plan! | Advent of Cyber 3 (2021)

HTB: Legacy Writeup w/o Metasploit

Hack The Box — Lame

KnightCTF-2022 Write-up