Quackerjack Proving Grounds Write-Up
SUMMARY
This write-up covers the Quackerjack machine from Offsec’s Proving Grounds, a Linux machine where an rConfig SQL injection chained with a file upload exploit led to initial access.
Port 8081 hosted rConfig 3.9.4, vulnerable to an unauthenticated SQL injection. A public script exploited it to extract the admin user’s hashed password, which was cracked via CrackStation. Using the plaintext password to log in, an authenticated file upload exploit was used to upload a PHP webshell via the vendors.php endpoint. The request was intercepted with Burp Suite to change the file extension and confirm upload. Navigating to the webshell URL confirmed command execution as apache, and a Python reverse shell followed.
Privilege escalation was simple: a SUID find binary was found. The GTFOBins technique for SUID find spawned a root shell.
PATH TO FOLLOW
- Reconnaissance & rConfig 3.9.4 Discovery on Port 8081
- Unauthenticated SQLi → Admin Hash Extraction & Crack
- Admin Login → PHP Upload via Burp Suite Intercept
- Webshell Access → Reverse Shell as
apache - SUID
findDiscovery & GTFOBins Abuse → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.