A walkthrough of the SAR machine on OffSec Proving Grounds Play, demonstrating a two-step compromise chain. Initial access is gained via CVE-2019-12454, an unauthenticated OS command injection in sar2html v3.2.1 through the unsanitized `plot` GET parameter, yielding a shell as www-data. Privilege escalation exploits a root-owned cron job that executes a script inside a web-writable directory — deleting and replacing the script with a reverse shell payload delivers a root shell within five minutes. The writeup also checks Baron Samedit, Dirty Sock, PwnKit, and Dirty Pipe as alternative escalation paths, noting that Ubuntu backported patches for some without changing version strings. Mitigation guidance covers input sanitization, cron job hardening, removing phpinfo.php, system updates, and egress filtering.
Sort: