Roquefort Proving Grounds Write-Up

SUMMARY

This write-up covers the Roquefort machine from Offsec’s Proving Grounds, a Linux machine where a Gitea exploit required creative port-based delivery to succeed.

Port 3000 hosted Gitea 1.7.5, vulnerable to RCE via malicious git hooks. After registering, the exploit script was configured to download and execute a reverse shell binary from the attacker machine. A Linux binary created with msfvenom was shared via a Python HTTP server on port 21 (open on the victim). The binary’s callback port was set to port 2222 (also open). Once the exploit ran, a reverse shell was received as chloe.

Privilege escalation was achieved via PATH hijacking. A root cronjob executed run-parts without an absolute path. LinPEAS identified that /usr/local/bin was writable. A malicious run-parts script was placed there, and the cronjob executed it as root after the next 5-minute interval.

---

PATH TO FOLLOW

1. Reconnaissance & Gitea 1.7.5 Discovery
2. Git Hooks RCE Script Configuration (FTP Port 21 Delivery, Port 2222 Callback)
3. msfvenom Linux Binary Creation & Delivery → Shell as chloe
4. Cronjob Discovery → run-parts Relative Binary Identification
5. Writable /usr/local/bin → Malicious run-parts Placement → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.