Walla Proving Grounds Write-Up
SUMMARY
This write-up covers the Walla machine from Offsec’s Proving Grounds, a Linux machine where a wireless management panel’s default credentials enabled initial access.
Several ports were open including multiple SSH instances and a restricted HTTP service on port 8091. Nmap identified a RaspAP instance; directory fuzzing confirmed it and revealed the version via a package.json file. Default credentials (admin:secret) granted access to the panel, which included a console interface for executing commands. A reverse shell was sent to the attacker machine.
Privilege escalation came from a sudo rule allowing www-data to run a specific script located in walter’s home directory. Listing permissions on that directory revealed www-data was the owner, giving full write access. The original script was renamed and replaced with a reverse shell payload. Running the script via sudo delivered a shell as root.
PATH TO FOLLOW
- Reconnaissance & RaspAP Version Discovery via Directory Fuzzing
- Default Credential Login → Console Command Execution
- Reverse Shell as
www-data - Sudo Script Identification & Directory Ownership Discovery
- Script Replacement with Reverse Shell → Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.