A detailed walkthrough of the Ha-Natraj machine on OffSec Proving Grounds Play. The attack chain starts with discovering a PHP file inclusion vulnerability in file.php, then poisoning /var/log/auth.log by injecting a PHP payload via SSH username to achieve RCE as www-data. Lateral movement exploits a writable apache2.conf combined with passwordless sudo on systemctl to respawn Apache workers as the mahakal user. Final privilege escalation uses passwordless sudo on nmap with a custom NSE Lua script to gain root. Each vulnerability is documented with root cause analysis and concrete mitigations.
Sort: