DVR4 Proving Grounds Write-Up
SUMMARY
This write-up covers the DVR4 machine from Offsec’s Proving Grounds, a Windows machine combining a surveillance DVR service with an unusual SSH server for initial access.
Port 8080 hosted Argus Surveillance DVR 4.0. A searchsploit query returned a known Local File Inclusion exploit for this version. Browsing the DVR user management panel identified a user named viewer. Since SSH was exposed on port 22, the LFI was leveraged to read the SSH private key at C:\Users\viewer\.ssh\id_rsa — treating the Windows path the same as a Linux system. The key was saved, permissions set with chmod, and SSH access obtained as viewer.
Standard post-exploitation enumeration yielded nothing. However, a second searchsploit result for the DVR service identified an exploit that decrypts stored passwords from the DVR configuration file. Reading the config revealed a hashed password, and running the exploit returned a near-complete plaintext password — missing only the last character. Password guessing with netexec confirmed the full credential, and psexec was used to log in as Administrator.
PATH TO FOLLOW
- Reconnaissance & Argus Surveillance DVR Discovery on Port 8080
- LFI Exploitation & SSH Key Extraction from Windows User Profile
- SSH Access as
viewer - DVR Configuration Hash Decryption Exploit
- Password Guessing Last Character via
netexec - Shell as Administrator via psexec
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.