Nukem Proving Grounds Write-Up

SUMMARY

This write-up covers the Nukem machine from Offsec’s Proving Grounds, a Linux machine chaining a WordPress plugin vulnerability with a creative SUID binary abuse.

Port 80 hosted a WordPress site with the Simple File List plugin installed. This plugin allowed unauthenticated PHP file uploads, which was exploited to upload a webshell and gain a reverse shell as www-data. Credentials from wp-config.php were reused to pivot to the commander user via SSH.

Privilege escalation was achieved through a SUID dosbox binary. DOSBox’s ability to mount host directories and write files was abused to append a new entry to /etc/sudoers, granting the current user unrestricted sudo access and a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & WordPress Simple File List Plugin Discovery
2. Unauthenticated PHP Upload → Webshell & Reverse Shell as www-data
3. wp-config.php Credential Extraction → SSH as commander
4. SUID dosbox Discovery
5. /etc/sudoers Write via DOSBox → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.