Hawat Proving Grounds Write-Up

SUMMARY

This write-up covers the Hawat machine from Offsec’s Proving Grounds, a Linux machine requiring careful enumeration across three HTTP services running on different ports.

Port 17445 hosted an Issue Tracker login panel. Port 30455 initially appeared empty, but directory fuzzing with an alternative wordlist revealed a phpinfo.php that exposed the server’s file storage path. Port 50080 hosted a site with a /cloud directory running Nextcloud, accessible with default credentials (admin:admin). A ZIP archive found inside Nextcloud contained the Issue Tracker’s source code. Reading the Java source revealed a POST endpoint with a SQL injection vulnerability in the priority parameter.

Using the SQL injection with a UNION SELECT ... INTO OUTFILE payload, a PHP webshell was written to the web root path discovered via phpinfo. Loading the webshell URL confirmed command execution as root. A reverse shell completed the machine.

---

PATH TO FOLLOW

1. Reconnaissance & Multi-Port HTTP Enumeration
2. phpinfo.php Discovery → Web Root Path Leak
3. Nextcloud Default Credential Login → Issue Tracker ZIP Download
4. Source Code Review → SQL Injection Endpoint Discovery
5. SQLi UNION SELECT INTO OUTFILE → PHP Webshell Write
6. Webshell Access → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.