Hetemit Proving Grounds Write-Up

SUMMARY

This write-up covers the Hetemit machine from Offsec’s Proving Grounds, a Linux machine where a Python web service endpoint was abused for code injection before exploiting a misconfigured systemd service.

A Werkzeug-based web application exposed a /verify endpoint that evaluated user-supplied Python expressions. Injecting a reverse shell payload through this endpoint executed code as the web service user.

Privilege escalation involved a systemd service whose ExecReload directive pointed to a script writable by the current user. A sudo rule allowed running reboot as root. Writing a reverse shell into the reload script and triggering the service reload via sudo reboot delivered a shell as root.

---

PATH TO FOLLOW

1. Reconnaissance & Werkzeug /verify Endpoint Discovery
2. Python Code Injection → Reverse Shell
3. Writable systemd Service ExecReload Identification
4. Reverse Shell Injection into Reload Script
5. Sudo reboot Trigger → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.