PG — InfoSecPrep— Walkthrough (Offensive Security Proving Grounds Play Boxes)


This article aims to walk you through box, produced by and hosted on . Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is a kind of boot2root, easy and fun box. Hope you enjoy reading the walkthrough!


As we are already provided with IP address of the box, we will scan it via .


We are going to scan the IP for 1000 default ports by typing the following command on our terminal.

nmap 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Moreover, we already see a page named secret.txt, which shows where we should start first.

Nmap Specified Port Scanning


We open our browser and type IP address of the box.

Enumerating HTTP Server

We see that it is a , before enumerating further, we check /secret.txt file as we saw it in the first place on scan.

Enumerating /secret.txt Page

We come accross an encoded string. The string ends with two equal signs which indicates that it is encoded in .

Base64 Encoded String

We will the link to get string on our terminal.

curl http://192.168.x.x/secret.txt

Curling the Link to Get Baase64 String

Now, we will curl the link again, but we will it through base64 command and use -d argument in order to decode the string.

curl | base64 -d

Curling the Link and Piping it to Decode

Now, we see that it is an private key, which is probably our way to get a low shell on the machine.

We will enumerate the page further in order to get possible users on the box. We see that there is a note written on the homepage that says the only user on the box is .

Enumerating Further


We will copy SSH private key we decoded into a file, and we will try to log in on the box as oscp user after chmoding the private key.

Chmoding SSH Key

Now we are ready to build a connection to the box with the following command.

ssh -i private.key oscp@192.168.x.x

SSH Connection to the Box

We successfuly connect to the box, now we will get our low shell hash.

Getting Low Shell Hash

Privilege Escalation

After checking common vulnerabilities or misconfigurations, we find that /bin/bash is a very important binary, which gives us the opportunity to escalate our privilege on the box.

find / -perm -u=s -type f 2>/dev/null

Privilege Escalation Enumeration

For SUID binaries, we generally check since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.

And we see that we are able to escalate our privilege on the machine just providing -p argument following /bin/bash.

GTFOBins Privilege Escalation

So, we execute the command as follows:

/bin/bash -p

Executing the Command

And our and now have root privileges.


So, we get our root hash.

Getting Root Hash

Now we have full authority on the box. Enjoy!




Cybersecurity Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store