Pwning Solstice! — Offensive Security Machine

Neelesh Patel
3 min readNov 6, 2021

This is one of the intermediate machine from Offensive Security Proving Grounds

exported IP as environment variable and scanned for services and findings as

OS: Web-Technology: PHP


21 ftp → NO Anonymous access
2121 ftp → Anonymous access, but nothing interesting!
62524 ftp → Nothing juicer!!
80 http → Manual Inspection (Source Code Analysis)
* version → phpIPAM 1.4
3128 Squid proxy → /-
54787 http → /-
8593 http → Manual Inspection (Source Code Analysis)

I then tried for Local File Inclusion and we got something!!!

Now all i need is also to check the logs also to verify further LFI , I tried connection with nc, don’t worry of 400 Bad Request.

Verified Local File Inclusion Vulnerability):

And with that i used my encoded payload i.e

and now we got a shell

Making the shell more stable and enumerating the machine and found some service running on port 57

During enumeration, file name index.php have SUID permissions, so i edited the file as shown, what is did is , I gave find command super permission which further will gave us root privilege

And with that, we are now root!! with a root flag

That’s all for now!!

Until Next Time,

Stay Calm!

— — — — — — — — — — — -

For any query/issues, feel free to ping me



Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.