Marketing Proving Grounds Write-Up

SUMMARY

This write-up covers the Marketing machine from Offsec’s Proving Grounds, a Linux machine with multi-step lateral movement before privilege escalation.

Port 80 hosted a marketing site. A /old directory was found via fuzzing; its page source contained a subdomain that was added to /etc/hosts. The subdomain ran LimeSurvey 5.3, accessible with default credentials (admin:password). A malicious plugin ZIP was crafted and uploaded through the admin panel, delivering a reverse shell as www-data. A LimeSurvey config file contained cleartext credentials reused for user t.miller.

t.miller could run a diff script as m.sander via sudo, but direct file reads were blocked. Enumerating group memberships revealed access to mlocate.db, which was transferred locally and searched with strings to find a hidden credentials file path in m.sander’s home. Symbolic links were used to feed the file path to the diff script, leaking the credentials. SSH as m.sander confirmed a sudo ALL rule, providing a root shell.

---

PATH TO FOLLOW

1. Subdomain Discovery via Page Source → LimeSurvey Login with Default Credentials
2. Malicious Plugin Upload → Reverse Shell as www-data
3. Config Credential Extraction → Pivot to t.miller
4. mlocate.db Enumeration → Hidden Credential File Path Discovery
5. Symbolic Link Trick → Diff Script Leaks m.sander Credentials
6. Sudo ALL → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.