Skip to content

Krovs' Writeups

Vmdak

Metadata
- April 23, 2025
- in Proving Grounds, Linux
- 3 min read

Vmdak 🔸

Enumeration

ftp has anonymous access with a Jenkins file.

Web server shows a prison management system.

Initial Access

Searching for an exploit, we have an SQL injection.

Inside, there is a user with a password:

malcom:RonnyCache001

And the admin credentials.

Now we can upload a PHP reverse shell using the avatar uploader, bypassing the jpg extension like .jpg.php.

Privilege Escalation

We see that there is a user we can pivot to: vmdak.

Let's try the password from malcom.

Get the flag.

We can connect via ssh with vmdak and stabilize the shell with python to have a fully interactive shell.

Prison web has SQL credentials.

sqlCr3ds3xp0seD

We have Jenkins at port 8080 and MySQL at 3306.

In the 3306 database, we have malcom data.

For Jenkins, transfer chisel to the target and make a port forward.

Jenkins is protected with a password.

Searching Jenkins exploits, we find an LFI.

Run the script with the path for Jenkins.

Now we can enter.

Create a job that puts the SUID bit on /bin/bash.

Build.

Let's check.

So:

Post Exploitation

Get the flag.