BullyBox Proving Grounds Write-Up

SUMMARY

This write-up covers the BullyBox machine from Offsec’s Proving Grounds, a Linux machine where a git repository leak enabled admin access to a billing panel vulnerable to RCE.

A hostname redirect pointed to bullybox.local. Port 80 hosted a BoxBilling 4.22 instance. Directory fuzzing found a /.git directory returning 403, but git-dumper successfully extracted the contents. A configuration file inside contained cleartext credentials. These were used to authenticate to the BoxBilling admin panel at /bb-admin.

A public exploit for authenticated BoxBilling RCE was identified. The exploit was intercepted with Burp Suite to adjust the request and successfully upload a PHP webshell. Accessing the file via the URL confirmed code execution as yuki, and a reverse shell followed. sudo -l revealed yuki could run any command as root without a password, providing an immediate root shell.

---

PATH TO FOLLOW

1. Hostname Discovery & BoxBilling Panel Access
2. /.git Directory Dump via git-dumper → Cleartext Credential Extraction
3. Admin Panel Login & BoxBilling RCE Exploit (Burp Suite Intercept)
4. PHP Webshell Upload → Reverse Shell as yuki
5. Sudo ALL Abuse → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.