Pwning Solstice! — Offensive Security Machine

This is one of the intermediate machine from Offensive Security Proving Grounds

exported IP as environment variable and scanned for services and findings as

OS: Web-Technology: PHP


21 ftp → NO Anonymous access
2121 ftp → Anonymous access, but nothing interesting!
62524 ftp → Nothing juicer!!
80 http → Manual Inspection (Source Code Analysis)
* version → phpIPAM 1.4
3128 Squid proxy → /-
54787 http → /-
8593 http → Manual Inspection (Source Code Analysis)

I then tried for Local File Inclusion and we got something!!!

Now all i need is also to check the logs also to verify further LFI , I tried connection with nc, don’t worry of 400 Bad Request.

Verified Local File Inclusion Vulnerability):

And with that i used my encoded payload i.e

and now we got a shell

Making the shell more stable and enumerating the machine and found some service running on port 57

During enumeration, file name index.php have SUID permissions, so i edited the file as shown, what is did is , I gave find command super permission which further will gave us root privilege

And with that, we are now root!! with a root flag

That’s all for now!!

Until Next Time,

Stay Calm!

— — — — — — — — — — — -

For any query/issues, feel free to ping me




Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Leveraging Burp Suite extension for finding HTTP Request Smuggling.

{UPDATE} Adivinapp Hack Free Resources Generator

Monthly Technical Progress in June, 2021

Top 4 Benefits of Ephemeral Messaging for Security Professionals

Sophos 2FA with Hardware OTP Tokens

EOSTARTER’s Proposal for Pomelo

Testing github DDoS Tools #7: http-get-dos

13 Asset types to Build Your Cybersecurity Around

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

Backdoor — HackTheBox Machine Write-Up

Custom Metasploit Module for Log4Shell Scanner

Anatolia CTF Machine

Introduction to x64 Linux Binary Exploitation (Part 3)- RoP Chains