A walkthrough of the Assertion101 Proving Grounds intermediate machine. Starting with Nmap reconnaissance, the author discovers a PHP assert() injection vulnerability via a page URL parameter, bypassing path traversal filters to achieve remote code execution. A reverse shell is obtained, then privilege escalation is performed by abusing an aria2c SUID binary to overwrite /root/.ssh/authorized_keys with a custom public key, granting root SSH access. Key lessons cover PHP assert() dangers, SUID binary auditing, and the limits of input filtering.
Sort: