Codo Proving Grounds Write-Up
SUMMARY
This write-up covers the Codo machine from Offsec’s Proving Grounds, a Linux machine where default credentials on a forum application led to code execution.
Port 80 hosted Codoforum. Directory enumeration revealed an /admin panel accessible with default credentials (admin:admin). The installed version was known to be vulnerable to RCE via PHP file upload. The admin interface allowed editing permitted file types, so PHP was added to the allowlist. A PHP webshell was uploaded and accessed through the upload URL, achieving command execution as www-data. A reverse shell followed.
Privilege escalation came from a config.php file in the web root, which contained database credentials in cleartext. The same password was reused for the system root account, granting direct su access as root.
PATH TO FOLLOW
- Reconnaissance & Codoforum Discovery on Port 80
- Admin Panel Access with Default Credentials
- PHP Upload Allowlist Modification & Webshell Upload
- Reverse Shell as
www-data - Cleartext Database Password in
config.php - Password Reuse → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.