Writeup Index
Machine Writeup Index
Below is a summary of the OSCP-style machines I solved on Proving Grounds Practice and Hack The Box. Each writeup follows a practical exploitation chain from initial foothold to privilege escalation, focusing on:
Real-world misconfigurations
Manual enumeration techniques
Exploit methodology with minimal tooling
Privilege escalation paths mapped to OSCP exam patterns
I hope these writeups help you as much as writing them helped me. Click on any machine to jump to its detailed writeup!
PG - Practice
Privilege Escalation using AlwaysInstallElevated
Privilege Escalation using RunAs
Owned DC using a Resource-Based Constrained Delegation technique
Owed DC using Misconfigured Certificate Templates - ESC1
Elevated privileges using a DLL hijacking attack
Owning a DC machine with a misconfiguration in the LAPS service
Privilege escalation using Kernel level exploit
Leveraged SeManageVolumePrivilege and DLL hijacking permission to escalate privileges.
Use a public Buffer Overflow exploit to gain elevated privileges
Got elevated shell using publicly available exloit
This machine focused on enumerating an unknown port and identifying the service running on it.
Root Access via CVE-2014-5301 and Default Admin Credentials
Privilege Escalation via Scheduled Task Privilege Recovery + SeImpersonatePrivilege Abuse (PrintSpoofer)
Auto-parsed spreadsheets on the mail server + LibreOffice macros injection
Think like a red teamer, not a CTF player. 🕵️♂️
Misconfiguration in the ClamAV milter process leading to RCE
udo gcore to dump root process memory
Use sudo su with full sudo rights
Privilege Escalation via writable /etc/passwd
Remote Code Execution via OpenSMTPD 2.0.0 Command Injection
SUID misconfiguration in find binary led to privEsc
Privilege Escalation by injecting a reverse shell into a writable systemd service and rebooting via sudo
SQLi to webShell and use wget to escalate privs
Privilege escalation achieved via SUID misconfiguration in PHP binary
Privilege Escalation via Image Upload — DJVU RCE (CVE-2021-22204)
Privilege Escalation via disk group → Access to /dev/sda using debugfs
unauthenticated RCE as root via Redis
Privilege Escalation via Python Binary with cap_setuid
Leveraged CVE-2021-3129 via log poisoning
Hackthebox
Got root using MS10-015 kernel exploit after failing all Potato/UAC bypass attempts.
Direct NT\SYSTEM shell using EternalBlue (MS17-010) on unpatched XP
Exploited JuicyPotato with known CLSID to run nc64.exe as SYSTEM
Uploaded MS10-059 binary via certutil and executed it to escalate to SYSTEM using an unpatched tracing service vulnerability.
Gained DCSync rights by resetting the password of an owned user (kyle) via svc-alfresco, then dumped Administrator’s hash using secretsdump.
Abused ADIDNS to poison internal web probes, captured NTLM hash, escalated to Domain Admin via gMSA abuse and forged Silver Ticket.
Leveraged gMSA misconfiguration of a user to forge a Silver Ticket to become a Domain Admin.
Explicit Privilege Escalation path via BloodHound and DSync
Abused WSL as root user to get reverse shell, then looted .bash_history for admin SMB credentials and used psexec to get SYSTEM shell.
Last updated
Was this helpful?