April 8, 2025

Press Proving Grounds Write-Up

Adrian Reategui
Share
Proving Grounds Press machine walkthrough

SUMMARY

This write-up covers the Press machine from Offsec’s Proving Grounds, a Linux machine where a flat-file CMS with default credentials enabled file upload exploitation.

Port 8089 hosted FlatPress CMS, accessible with default credentials (admin:password). The admin panel included a file upload section. A PHP one-liner webshell was uploaded and accessed at the known FlatPress attachment path, confirming command execution as www-data. A BusyBox reverse shell followed.

Privilege escalation was straightforward: sudo -l revealed www-data could run apt-get as any user without a password. The GTFOBins apt-get changelog technique spawned a root shell by dropping into a less-pager shell escape.

PATH TO FOLLOW

  1. Reconnaissance & FlatPress Discovery on Port 8089
  2. Default Credential Login
  3. PHP Webshell Upload & Command Execution
  4. Reverse Shell as www-data
  5. Sudo apt-get changelog Abuse via GTFOBins
  6. Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.

Linux FlatPress Default Credentials PHP Upload Sudo apt-get GTFOBins ProvingGrounds

Table of Contents