Skip to content
Menu
Mr.KaaLi's JARV!$
  • WhoAmI
Mr.KaaLi's JARV!$

OSCP Prep Box 71 – DVR4 – Proving Grounds Practice

Posted on July 4, 2026July 4, 2026

Hi everyone

Today we are going to look for a Box called DVR4 which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.

Difficulty – Intermediate

Operating System – Windows

Focus Areas

  • FTP Enumeration
  • Credential Discovery
  • Web Shell Upload
  • Windows Enumeration
  • Juicy Potato Exploitation
  • Privilege Escalation

In this writeup, I exploit a Directory Traversal vulnerability in Argus Surveillance DVR 4.0 to disclose sensitive files, including SSH private keys and configuration files. I recover the Administrator password by decoding an obfuscated value using a substitution cipher, then leverage the recovered credentials with the Windows runas utility to execute a reverse shell as the Administrator user, ultimately achieving privilege escalation.

Table of Contents
  • Recon & Enumeration
  • Exploitation
  • Privilege Escalation
  • Key Takeaways

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.181.179

nmap -sC -sV -O -p- -oA nmap/full -T4 192.168.181.179

nmap -sU -O -oA nmap/udp 192.168.181.179 -T4

I discovered these ports are open:

  • 22/tcp SSH service running Bitvise WinSSHD 9.6 (FlowSsh 9.6; SSH protocol 2.0)
  • 135/tcp Microsoft RPC (MSRPC) service
  • 139/tcp NetBIOS Session Service (SMB)
  • 445/tcp Microsoft Directory Services (SMB)
  • 5040/tcp Unknown service exposed
  • 8080/tcp HTTP service running Argus Surveillance DVR (Actual Drawing 6.0)
  • OS: Microsoft Windows (likely Windows Server 2008 R2 / Windows Server 2012 / Windows 7 / Windows 8.1 family)

Then I went ahead and checked the IP in the web browser on port 8080 and I found a Argus surveillance running:

Checking the about page I found the DVR version and it was version 4.0:

Also on the users tab I can see two users viewer and Administrator and I saw option to change the passwords for these users and create a new user:

Exploitation

I tried searching for exploits regarding the same Argus and I found a directory traversal

The application is vulnerable to Directory Traversal:

Since attempting to retrieve the Administrator user’s private SSH key was unsuccessful, replace %2FWindows%2Fsystem.ini with %2FUsers%2FViewer%2F.ssh%2Fid_rsa and attempt to disclose the private SSH key of the Viewer user:

Create a file with private key and try to login:

I found the local.txt flag

Privilege Escalation

Now it was a time for escalating the privileges.

A quick google search tells me the config file location:

I discovered the hash for Administrator and I tried checking the type of hash with hash identifier but no luck:

Again a search shows weak password encryption exploit where we have to supply the discovered hash:

I found the password but the last character was a puzzle:

I used the following CVE to find the last missing character:

It was discovered that the character was $ symbol:

Using runas with the recently discovered potential Administrator credentials, we attempt to execute a Netcat reverse shell as the Administrator user to elevate our privileges.

Transferred the netcat to target machine using powershell as certutil was not working:

Tried impersonating as Administrator with the command and we got the Admin access:

The above image shows the proof.txt file.

Key Takeaways

  • Directory Traversal isn’t just about reading files it can expose credentials, keys, and configuration files that lead to complete system compromise.
  • Always inspect exposed configuration files carefully; they often reveal encoded passwords, installation paths, or other secrets that are easy to overlook.
  • Encoded credentials are not encrypted credentials identify the encoding or obfuscation method before assuming the password is secure.
  • Valid credentials become far more valuable when combined with built-in Windows utilities like runas, allowing privilege escalation without exploiting memory corruption.
  • Successful privilege escalation often comes from chaining multiple low-severity weaknesses together rather than relying on a single critical vulnerability.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search

©2026 Mr.KaaLi's JARV!$ | Powered by SuperbThemes