Extplorer Proving Grounds Write-Up

SUMMARY

This write-up covers the Extplorer machine from Offsec’s Proving Grounds, a Linux machine where a file manager with default credentials provided direct access to the web root.

Port 80 redirected to a database configuration page. Directory fuzzing revealed a /filemanager endpoint running eXtplorer, accessible with default credentials (admin:admin). The interface exposed all web files and included an upload feature. A PHP webshell was uploaded to the web root and used to execute commands as www-data, followed by a BusyBox reverse shell. Post-exploitation grep of web files for user dora returned a hash, which was cracked with john to obtain cleartext credentials. Switching to dora revealed the user flag.

Privilege escalation exploited dora’s membership in the disk group. Using df -h to identify the disk device and debugfs to open it as a raw block device, the /etc/shadow file was read directly. Root’s hash was cracked with hashcat, yielding the root password for a full shell as root.

---

PATH TO FOLLOW

1. Reconnaissance & eXtplorer File Manager Discovery
2. Default Credential Login & PHP Webshell Upload
3. Reverse Shell as www-data
4. Hash Extraction from Web Files & Crack for dora
5. Disk Group Privilege Identification
6. debugfs Shadow File Read & Root Hash Cracking
7. Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.