XposedAPI Proving Grounds Write-Up

SUMMARY

This write-up covers the XposedAPI machine from Offsec’s Proving Grounds, a Linux machine centered entirely around exploiting a documented REST API.

Port 13337 hosted a Gunicorn-based REST API that listed its own endpoints. A GET request to /logs was blocked by a WAF. Adding the X-Forwarded-For: 127.0.0.1 header bypassed the restriction. The /logs?file= parameter was used as an LFI to read /etc/passwd, revealing a valid username (clumsyadmin). The /update POST endpoint accepted a URL to download an update binary. A reverse shell binary created with msfvenom was hosted via Python HTTP server and passed as the update URL — the API fetched and staged it. A POST request to the /restart endpoint (the GET version had no effect) executed the binary, delivering a shell as clumsyadmin.

Privilege escalation was found through SUID enumeration: wget had the SUID bit set. The GTFOBins technique for SUID wget was used to read the root SSH key and log in as root.

---

PATH TO FOLLOW

1. Reconnaissance & API Endpoint Discovery on Port 13337
2. WAF Bypass via X-Forwarded-For Header → LFI Username Leak
3. msfvenom Binary Creation & API Update Download Trigger
4. POST /restart → Shell as clumsyadmin
5. SUID wget Discovery & GTFOBins Abuse → Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.