Completed Linux Boxes
Offsec PG
| Box | Methods | Description | Links | |
|---|---|---|---|---|
| ClamAV | Searchsploit ClamAV | ClamAV-milter sendmail exploit, perl version allowed for opening a port with root shell to nc connect to. | https://www.trenchesofit.com/2020/12/01/offensive-security-proving-grounds-clamav-write-up-no-metasploit/ | |
| Pebbles | SQLi (DO NOT USE METHOD) | SQLi vulnerability in ZoneMinder software, running SQLMap (do not use on exam) with os-shell allows us to trigger a revshell. | https://medium.com/offensive-security-walk-throughs/oscp-proving-grounds-walkthrough-pebbels-4598805db790 | |
| Payday | Searchsploit CSCart, Further googling on exploit for better explanation | Lesson in version identification, basic privesc with patrick:patrick weak password, patrick has sudo access to all for privesc to root. | https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-payday-639f5128b0ca | |
| Nibbles | Gobuster,Postgresql, SUID binary exploit (find) |
Postgres weak credential access (via psql), enumeration reveals find binary with SUID bit set to root | https://pentesting.zeyu2001.com/proving-grounds/get-to-work/nibbles | |
| ZenPhoto | Page Source, ZenPhoto CVE, php exploit, Kernel exploit | Searchsploit vuln via php for initial access, lse reveals old kernel exploitable with dirty.c to root | https://www.trenchesofit.com/2021/03/15/offensive-security-proving-grounds-zenphoto-write-up-no-metasploit/ [https://github.com/Bsal13/Offensive-Security-Proving-Grounds-Boxes/blob/main/ZenPhoto%20(Intermediate)%20Linux%20Box.md](https://www.trenchesofit.com/2021/03/15/offensive-security-proving-grounds-zenphoto-write-up-no-metasploit/ https://github.com/Bsal13/Offensive-Security-Proving-Grounds-Boxes/blob/main/ZenPhoto%20(Intermediate)%20Linux%20Box.md) |
|
| Clue | FFUF, Searchsploit Cassandra, curl, FreeSWITCH Searchsploit Privilege Escalation, sudoers custom binary exploit | Initial access using 2 different exploits + curl, followed by privesc by creating a database instance via a sudo binary, then using curl to retrieve private ssh keys (curl is so useful for any tweaking) | https://medium.com/@manhon.keung/proving-grounds-practice-linux-box-clue-c5d3a3b825d2 | |
| Postfish | SMTP user enum, usernamer for naming convention modification, cewl for custom password list generation, phishing, mail sudoers exploit (also binary wildcard exploit) | Difficult SMTP exploit involving a lit of enumeration steps, notes taken. PKExec SUID allowed fro PwnKit to be used for root access | https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/postfish | |
| Hawat | dirbusting, file credentials, SQLi (code analysis), GET/POST manipulation, SQLi reverse shell, file upload reverse shell exploit | Oh yeah so easy not like its the hardest one to do here or anything, fucks sake. SQLi vuln requiring enum of all web faces and some magic encoding from fucking gandalf idk | https://medium.com/@bdsalazar/proving-grounds-hawat-easy-linux-box-walkthrough-a-journey-to-offensive-security-cc24110b246f | |
| PC | Chisel port forwarding, process enumeration (winpeas), process exploit from googling | Privesc using an edited exploitdb exploit | https://medium.com/@0xrave/pc-proving-grounds-practice-walkthrough-7619983c7d63 | |
| Sybaris | FTP Bruteforcing (Hydra), Redis module.so exploit, Kernel privesc | Interesting redis exploits, walkthroughs made it clear these exploits can be deconstructed if you understand the underlying technology. LD_PRELOAD privesc at the end. | https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-sybaris-491b23545014 | |
| Peppo | ident enumeration, user and cred reuse, restricted shell escape, docker binary exploit (tweaked off of GTFOBins command) | Simple SSH access, followed by rbash shell breakout and privsesc via docker GTFOBins command | https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/peppo | |
| Hunit | Page source link,API enumeration, git enumeration, scp, git push exploit | Possibly broken? Git misconfiguration abuse did not work. Double checked using an sh and /bin/sh payload. Also checked pspy and no cron job was ever running?? | https://medium.com/@bdsalazar/proving-grounds-hunit-intermediate-linux-box-walkthrough-a-journey-to-offensive-security-36081fc196d | |
| Readys | wpscan, LFI known vulnerability, file enumeration, redis-rogue-server, php shell, file write to LFI exploit, tar wildcard exploit | Wpscan reveals vulnerable plugin, finnicky privilege escalation using PHP file execution exploit. Lesson in researching service filepaths when working with any kind of LFI vuln | https://medium.com/@C4berowl/readys-write-up-proving-grounds-e066074eed | |
| Marketing | No walkthroughs available | Easy enough initial access, nightmarish privesc with a lot of false positives. Checking mlocate with a custom grep command then using a custom binary gets us root. | No walkthroughs availables | |
| Wombo | Searchsploit NodeBB exploit, Redis-cli, Redis | Piss easy Redis 5.0 exploit following anonymous access. Straight to root. | https://medium.com/@msegmgamal45/wombo-proving-grounds-offsec-806d32d65274 | |
| Flu | Known exploit on Confluence, cron privesc | Read the permissions and owners dummy! Anyway got the initial access then pissed away hours on a wildcard exploit that wouldnt work when I could’ve just overwritten the file idiot idiot | https://medium.com/@0xrave/ctf-200-08-offsec-proving-grounds-practice-labor-day-ctf-machine-walkthrough-bee721403cd4 | |
| Mzeeav | Code analysis, BurpSuite file upload restriction bypass vulnerability, binary --version identification, GTFOBins exploitation | Technically I rooted this but I think proof is actually missing. Code analysis was the key to bypassing the AV and getting initial access. Thorough enum of the binary to privesc. | https://medium.com/@0xrave/ctf-200-02-offsec-proving-grounds-practice-labor-day-ctf-machine-walkthrough-78a5497ce589 | |
| LaVita | No walkthroughs available | Debugging mode on dashboard console + CVE lead to exploit, lesson in tracing steps to avoid messing up the report, privesc using sudoers access on composer binary | No walkthroughs available | |
| Zipper | Path traversal, web vulnerability, extension validation, file checks and file name sanitization code analysis, zip slip, BurpSuite exploit crafting, cron process argument exposure | LFI/ZipSlip vuln followed by a cron vuln that was right under my nose, make sure to check pspy for password fields next time | https://medium.com/@huwanyu94/proving-grounds-practice-zipper-walkthrough-6567efee48bf | |
| Ochima | Mailtrail known exploit, cron permission misconfiguration | Vulnerable service initial exploit, root-run CRON job overwrite vulnerability lead to root revshell, specifically a busybox command with no bash shebang (interesting) | https://medium.com/@0xrave/ctf-200-01-offsec-proving-grounds-practice-labor-day-ctf-machine-walkthrough-702633e20940 | |
| Fired | No walkthroughs available | Fairly easy OpenFire exploit. Privesc is a lesson in file enumeration | No walkthroughs available | |
| Scrutiny | TeamCity known exploit, mail enumeration, hidden file enumeration, systemctl GTFOBins binary exploitation | Initial access by an exploit on a service on a subdomain, followed by multiple credential reuse exploits and a cron job privesc to root | https://hackerunder.dev/proving-grounds-scrutiny-writeup/ | |
| Vmdak | SQLi known exploit, mysql enumeration, Chisel port forwarding, Jenkins file read, Jenkins code execution | Initial access using sqli, a lesson in looking at exactly what’s new that you have access to, in this case mysql and jenkins, testing jenkins lead to root | https://medium.com/@basha5969/vmdak-proving-grounds-9c8a2bc4960a | |
| Mantis | Github software file analysis, Rogue MySQL LFI, MySQL enumeration, cron process argument exposure | Absolute bastard of a machine. Check github admin folder for password reset page (config, admin, etc), check the filepaths shown for a config file, find the mantis arbitrary file read vuln (googling) then use the roguesql exploit along with the config filepath to get a mysql password leading to a hash that can be used to log in to mantis. Use the code exec vuln on the dashboard (again googling mantis exploits). Run pspy for twice the length of the cron for access to a user with sudoers /all access. | https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/mantis | |
| WallpaperHub | Path traversal vulnerability followed by a sudoers+path traversal privilege escalation | |||
| Zab | Zabbix custom service enumeration, SSH remote port forwarding, MySQL enumeration, Zabbix custom reverse shell exploitation, rsync sudo access GTFOBins privesc | Initial access was fairly easy, port forward + shell exploit from writeup (learned to look up software name + writeup) gets us privesc, sudo priv on binary exploit to root | https://medium.com/@gayemans1003/offsec-proving-grounds-zab-walkthrough-4092a2c8c904 | |
| SpiderSociety | Exploit using credential reuse on HTTP & FTP. Root achieved via permission misconfiguration in a .service file. | |||
| Groove | SSH, Hash Cracking, Hashcat, Web | Finnicky hash cracking, was a funny form of SHA-256 and using 1400 code lead to it appending '2' on to the end of the cracked hash. | ||
| Flow | SSH, file read web vuln, custom binary sudoers exploit | |||
| Fail | ||||
| XposedAPI | ||||
| Carryover | ||||
| Crane | Web CVE, service utility sudoers misconfiguration | Couldnt actually finish as the box is broken, regardless I | https://motasemhamdan.medium.com/offsec-proving-grounds-crane-walkthrough-oscp-prep-8e7185d38bd7 | |
| MiddlewareBypass | Web CVE, Burpsuite | Simple, well known CVE in next.js. Good to practice some basic HTTP header manipulation. Practice reading the output more carefully when we don't have a web render too. | https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/ |
|
| Rayeih | ||||
| Access | ||||
| Hokkaido | ||||
| Flimsy | Web CVE, APT privilege escalation | https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/ | ||
| PyLoader | Unauthenticated web CVE | Worlds easiest box | ||
| Fail | rsync ssh authorized key exploit, fail2ban cronjob and group access exploit | https://juggernaut-sec.com/fail2ban-lpe/ | ||
| Twiggy | ZeroMQ ZMTP Web CVE | Slight optimization to a web CVE. Took 30 mins | ||
| Sumo | Thorough dirbusting, shellshock vulnerability | Didn't get root but looks like a box issue as walkthrough runs through the same process as I did. Maybe try a different version of dirty.c if there's time? | https://medium.com/@sudonoodle/sumo-vulnhub-walkthrough-51298fb67da4 | |
| Y0usef | Misconfigured IP-Based Vuln Restriction, kernel | A lession in dirbusting and web vulns | https://ferhatm.medium.com/y0usef-vulnhub-walkthrough-42e0b6b04f19 | |
| Sorcerer | scp, man | scp, man | https://medium.com/@Dpsypher/proving-grounds-practice-sorcerer-4967bc2927dd |