Medjed Proving Grounds Write-Up
SUMMARY
This write-up covers the Medjed machine from Offsec’s Proving Grounds, a Windows machine where a file server application provided filesystem access that enabled both the foothold and privilege escalation.
Port 8000 ran BarracudaDrive. Creating an admin account and accessing the Web-File-Server module revealed an fs directory with read/write access to the full C: drive. Navigating to the XAMPP htdocs directory and uploading a PHP webshell, then identifying which web port served that directory (port 45443), allowed command execution as user jerren. nc.exe was uploaded and executed to obtain a reverse shell.
Privilege escalation required enumerating running services and identifying the BarracudaDrive service (bd.exe) as a SYSTEM-owned process with automatic startup. icacls confirmed the binary was writable by the current user, and whoami /priv revealed SeShutdownPrivilege. A msfvenom payload replaced bd.exe, the machine was rebooted, and a shell as NT AUTHORITY\SYSTEM was received.
PATH TO FOLLOW
- Reconnaissance & BarracudaDrive Discovery on Port 8000
- Admin Account Creation & Web-File-Server Access
- PHP Webshell Upload to XAMPP Webroot
- Reverse Shell as
jerren - BarracudaDrive Service Binary Writable & SeShutdownPrivilege Identification
- Service Binary Replacement with msfvenom Payload
- Machine Reboot & Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.