Proving Grounds: All 33 Warm-up Machines Pwned

1. Lampiao
Foothold: drupal7 RCE exploit
PrivEsc : kernel dirtycow2 exploit
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-lampiao-walkthrough-27fb42b0522d

2. Potato
Foothold: ssh brute force
PrivEsc : sudo -l : Command Injection via sudo Permissions in /bin/nice)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-potato-walkthrough-9dc22cff2e3d

3. Sumo
Foothold: shellshock CVE-2014–6271 exploit
PrivEsc : kernel dirtycow2 exploit
Writeup: https://systemweakness.com/proving-grounds-sumo-walkthrough-55bd324d5c95

4. Katana
Foothold: Reverse Shell file upload
PrivEsc : linux capabilities (python)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-katana-walkthrough-f84148c21276

5. Vegeta1
Foothold: MorseDecoding exposed .wav file
PrivEsc : sensitive data in .bash_history
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-vegeta-walkthrough-b28eabc97928

6. InfoSecPrep
Foothold: Exposed SSH private key
PrivEsc : mysql credentials,admin hash cracking
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-infosecprep-walkthrough-596f7e8a19ec

7. CyberSploit1
Foothold: username from page-source, base64 encoded password stored in /robots.txt
PrivEsc: kernel exploit(CVE-2015–1328)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-cybersploit1-walkthrough-ae11670aede0

8. MoneyBox
Foothold: ssh brute force (username hidden in jpg image,key found in page-source)
Horizontal PrivEsc: SSH access to another user
Vertical PrivEsc: sudo -l (sudo /usr/bin/perl -e ‘exec “/bin/sh”;’)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-moneybox-walkthrough-c634423451b9

9. Monitoring
Foothold: Nagiox XI 5.6.6 — RCE exploit
PrivEsc: RCE Exploit escalates privileges to root
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-monitoring-walkthrough-b2d4b9890033

10. Amaterasu
Foothold: vulnerable /file-upload endpoint (uploaded attacker public SSH key via curl)
PrivEsc: cronjobs + TarWildCardPrivEsc
Writuep: https://medium.com/@abhirupkonwar04/proving-grounds-amaterasu-walkthrough-d9a91c87eda6

11. Empire-Breakout
Foothold: Usermin reverse shell upload
i) username: enum4linux -a $IP (smb enumeration)
ii) password: brainfuck decoding
PrivEsc: Linux Capabilities (tar)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-empire-breakout-walkthrough-0e678eb67276

12. Photographer
Foothold: Koken CMS 0.22.24 — Arbitrary File Upload (Authenticated)
i)Email + Password found in a .txt file on SMB share
ii) /admin endpoint
PrivEsc: php-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-photographer-walkthrough-4cf64a93c54a

13. Shakabrah
Foothold: Command Injection to RCE — Reverse shell
PrivEsc: vim.basic-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-shakabrah-walkthrough-fae596b18d73

14. Blogger
Foothold: Reverse Shell file upload
PrivEsc: Easy Password Guessing
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-blogger-walkthrough-b3a9415349d4

15. SunsetDecoy
Foothold: SSH — Credentials found in exposed .zip file
PrivEsc: CVE-2014–0476 (Chrootkit 0.49 — Local Privilege Escalation)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-sunsetdecoy-walkthrough-28108bcaecd9

16. DC-1
Foothold: Drupal 7 RCE Exploit
PrivEsc: find-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-dc-1-walkthrough-133af4b2c6e9

17. DC-2
Foothold: SSH Brute force
PrivEsc: git-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-dc-2-walkthrough-90fe4c44fa75

18. PyExp
Foothold: Mysql brute force
PrivEsc: sudo -l (sudo /usr/bin/python2 /opt/exp.py) + python code command injection
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-pyexp-walkthrough-ce4a363eaed4

19. SunsetNoontide
Foothold: UnrealIRCd-3.2.8.1 — Backdoor command execution Exploit
PrivEsc: Easy Password Guessing
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-sunsetnoontide-walkthrough-2c3d3a75f7a0

20. DriftingBlues6
Foothold: TextPattern CMS RCE via file upload
PrivEsc: kernel exploit (dirtycow)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-driftingblues6-walkthrough-69230edc958b

21. BBSCute
Foothold: CuteNews 2.1.2 — Remote Code Execution : CVE-2019–11447
PrivEsc: hping3-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-bbscute-walkthrough-ce98b1afe98e

22. Ha-Natraj
Foothold: RCE with LFI and SSH Log Poisoning
PrivEsc: sudo -l (/usr/bin/nmap)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-ha-natraj-walkthrough-128821826348

23. SAR
Foothold: sar2html RCE exploit
PrivEsc: cronjobs
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-sar-walkthrough-38434867111c

24. Inclusiveness
Foothold: LFI to RCE
PrivEsc: binary-SUID (C code binary: vulnerable to PATH variable hijacking)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-inclusiveness-walkthrough-da62fcd78246

25. Gaara
Foothold: SSH Brute Force
PrivEsc: gdb-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-gaara-walkthrough-e38094da07fe

26. Solstice
Foothold: RCE with LFI and Log Poisoning
PrivEsc: writable php file running as root on port 57
i) Inject php reverse shell
ii) Render the php endpoint to trigger the reverse shell connection
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-solstice-walkthrough-2c088906ea74

27. Dawn
Foothold: Reverse Shell Injection through SMB
i) Exposed log file analysis: two files are running as root
ii) Writable SMB Share
iii) Inject reverse shell to those file
PrivEsc: mysql-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-dawn-walkthrough-35662ad55865

28. Seppuku
Foothold: SSH Brute Force
i) Users and Password wordlists found in a exposed directory
ii) Other: exposed SSH private file of another unlisted user1
(1)Horizontal PrivEsc: Plain-text storage of password of another user2
(2)Horizontal PrivEsc: Usage of SSH private key to SSH into user1
(3)Vertical PrivEsc: sudo -l (inject reverse shell in a binary allowed to run as root)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-seppuku-walkthrough-e33bde86a0af

29. FunboxEasy
Foothold: Reverse Shell File Upload
Horizontal PrivEsc: Plain-text storage of password of user1
i) SSH using those credentials
Vertical PrivEsc: time-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-funboxeasy-walkthrough-6db0f20e8522

30. OnSystemShellDredd
Foothold: SSH (SSH private keys stored in FTP server with anonymous access)
PrivEsc: cpulimit-SUID
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-onsystemshelldredd-walkthrough-bd2a0e66f26f

31. FunboxRookie
Foothold: SSH (SSH private keys stored in FTP server with anonymous access)
PrivEsc: sudo -l (current user is allowed to run any command with root privileges)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-funboxrookie-walkthrough-986edc7f5be7

32. FunboxEasyEnum
Foothold: Exposed Shell of another hacker
Horizontal PrivEsc1: Hash stored in /etc/passwd
Horizontal PrivEsc2: Same password as stored in phpmyadmin db password
Vertical PrivEsc: sudo -l (current user is allowed to run any command with root privileges)
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-funboxeasyenum-walkthrough-a7f8359f59e2

33. EvilBox-One
Foothold: SSH
i) LFI — read SSH private key
PrivEsc: writable /etc/passwd file
Writeup: https://medium.com/@abhirupkonwar04/proving-grounds-evilbox-one-walkthrough-b4f96fce14e7

LinkedIn : https://www.linkedin.com/in/abhirup-konwar-a626201a6/