Hunit Proving Grounds Write-Up

SUMMARY

This write-up covers the Hunit machine from Offsec’s Proving Grounds, a Linux machine with a git-based privilege escalation chain.

Port 8080 hosted a Tomcat application. Directory fuzzing revealed an /api endpoint that exposed user routes, including a path that returned usernames and cleartext passwords. One of those credentials was used to SSH into the machine as dademola.

Enumeration revealed a cronjob backup referencing a git-server directory and permissions that allowed reading the git user’s home, including their SSH private key. The key was used to clone the git-server repository via GIT_SSH_COMMAND. After configuring git identity, the backup.sh script inside the repository was modified with a reverse shell payload, staged, committed, and pushed back. The cronjob executed the script as root shortly after, completing the machine.

---

PATH TO FOLLOW

1. Reconnaissance & API User Endpoint Discovery
2. Cleartext Password Extraction → SSH as dademola
3. Cronjob Backup Discovery & git User SSH Key Access
4. Git Repository Clone via GIT_SSH_COMMAND
5. backup.sh Reverse Shell Injection → Git Push
6. Cronjob Execution → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.