Twiggy Proving Grounds Write-Up
SUMMARY
This write-up covers the Twiggy machine from Offsec’s Proving Grounds, a Linux machine where HTTP services act as distractions while the real entry point lies on non-standard ports.
Initial HTTP enumeration on port 80 yielded only rabbit holes and no actionable LFI. Attention shifted to ports 4505 and 4506, which nmap identified as ZeroMQ services. Searching for exploits revealed that SaltStack 3000.1 running on these ports is vulnerable to an unauthenticated Remote Code Execution exploit. Testing with a ping confirmed inbound ICMP traces via tcpdump, validating command execution.
Direct payload execution failed due to character filtering, but encoding the reverse shell payload in Base64 bypassed this restriction. The exploit returned a shell as root directly — no privilege escalation required.
PATH TO FOLLOW
- Reconnaissance & Port Scanning
- HTTP Rabbit Hole Enumeration (Ports 80)
- SaltStack RCE Exploit Discovery on Ports 4505/4506
- Command Execution Validation via ICMP Ping
- Base64-Encoded Reverse Shell Payload
- Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.