Vmdak Proving Grounds Write-Up
SUMMARY
This write-up covers the Vmdak machine from Offsec’s Proving Grounds, a Linux machine involving a multi-stage exploit chain from a web application through an internal Jenkins instance.
Port 80 hosted a Prison Management System vulnerable to an SQL authentication bypass (CVE-2024-33288). After logging in, a file upload RCE vulnerability (CVE-2024-48594) was leveraged to upload a webshell and obtain a reverse shell as a low-privileged user.
Internal enumeration revealed a Jenkins instance listening only on localhost. An SSH local port-forward exposed the Jenkins UI externally. CVE-2024-23897, a Jenkins arbitrary file read vulnerability, was exploited to recover the admin password from a local credentials file. Logging into Jenkins and using the Groovy script console to execute a system command delivered a shell as root.
PATH TO FOLLOW
- Reconnaissance & Prison Management System Discovery
- SQL Authentication Bypass (CVE-2024-33288) & File Upload RCE (CVE-2024-48594)
- Reverse Shell as Low-Privileged User
- Internal Jenkins Discovery & SSH Local Port-Forward
- Jenkins Arbitrary File Read (CVE-2024-23897) → Admin Password Recovery
- Groovy Script Console RCE → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.