Skip to content

Krovs' Writeups

Marketing

Metadata
- April 2, 2025
- in Proving Grounds, Linux
- 3 min read

Marketing 🔸

Enumeration

Web server is a marketing page.

Using feroxbuster, we find /old path.

Inside the old index, there is a new link.

Add this to /etc/hosts and access it.

Going to /admin.

Searching default credentials.

Initial Access

We are in.

Using this exploit https://github.com/Y1LD1R1M-1337/Limesurvey-RCE (recreate the zip after editing the reverse shell).

Privilege Escalation

Limesurvey config files show SQL credentials.

sync.sh

Testing MySQL password with t.miller is a go.

Get the flag.

With t.miller we can execute /usr/bin/sync.sh.

t.miller is a staff user and mlocate user.

Transfer the database to Kali and inspect it, searching for the personal folder.

So we have to read creds-for-2022.txt but if we pass the path to the program, it is going to fail because of the...

...part, so we can disguise it with a symbolic link.

Post Exploitation

Get the flag.