PayDay Proving Grounds Write-Up

SUMMARY

This write-up covers the PayDay machine from Offsec’s Proving Grounds, a Linux machine where an e-commerce admin panel was accessed with default credentials and abused for code execution.

Directory fuzzing with ffuf revealed a CS-Cart admin panel. Default credentials granted access to the backend, where the template editor was used to upload a .phtml webshell, achieving remote code execution as www-data. A reverse shell followed.

Privilege escalation was a two-step process. The username was found to match the password for user patrick, allowing a quick pivot. patrick had a sudo ALL rule with no password requirement, providing an immediate root shell.

---

PATH TO FOLLOW

1. Reconnaissance & CS-Cart Admin Panel Discovery via ffuf
2. Default Credential Login
3. .phtml Webshell Upload via Template Editor → Shell as www-data
4. Password Reuse → Pivot to patrick
5. Sudo ALL Abuse → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.